We’re launching a series of office hours for open source maintainers! Do you need advice to secure your project’s code? Grab some time to chat with our team. Spots are limited and run until end of April github.co/36GvaIC
Pinned Tweet
Follow
GitHub Security Lab
@GHSecurityLab
GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
securitylab.github.comJoined October 2019
GitHub Security Lab’s Tweets
GHSL-2022-094: Remote Code Execution in discordrb - CVE-2023-28102
2
8
GHSL-2022-129: XML External Entity (XXE) injection in GeoNode - CVE-2023-26043
2
5
GHSL-2023-027: Command Injection in Cocos - CVE-2023-26493
2
4
GHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430
3
12
Want to learn software security and have fun doing it? 🎉 🔒 Check out Secure Code Game - a FREE, hands-on training simulating what you do on a daily basis. Start playing now at gh.io/securecodegame 🎮 Read more at
41
119
🎉 Write safer code with new vulnerability prevention features in GitHub Copilot 🔒 ✅
2
11
15
Help us secure open source software by beta-testing #CodeQL for mobile application development! You can sign up for the CodeQL Swift Private Beta here:
4
7
GHSL-2023-016_GHSL-2023-018: Out-of-Bounds Read in the MIT Kerberos V5 (krb5) library
2
4
GHSL-2022-131: XML External Entities (XXE) injection in OWSLib - CVE-2023-27476
4
GHSL-2022-121_GHSL-2022-123: Multiple vulnerabilities in Apollo Configuration Management System - CVE-2023-25569, CVE-2023-25570
7
18
GHSL-2022-076_GHSL-2022-083: Multiple vulnerabilities in DataHub - CVE-2023-25557, CVE-2022-39366, CVE-2023-25559, CVE-2023-25560, CVE-2023-25561, CVE-2023-25562, CVE-2023-25558, CVE-2023-25580
2
6
Join us at to discover 4 game-changing ways developers can use AI to leverage security knowledge!
1
6
Multi-repository variant analysis lets you scale security research across thousands of repositories, giving you a powerful tool to find new vulnerabilities.
17
53
On March 13, we officially begin rolling out our requirement for all developers who contribute code on GitHub.com to enable 2FA by the end of 2023 ✨ Learn about the process & how you can help secure the software supply chain with 2FA: github.blog/2023-03-09-rai
5
60
102
FROM code SELECT vulnerability! Grab a spot for and 's CodeQL workshop at Berlin on Friday. Without prior CodeQL knowledge, learn how to identify vulnerabilities in projects. 🔗 nullcon.net/berlin-2023/id
#NullconDE2023
1
12
27
Three takeaways from security office hours with open source projects!
4
6
🔒 Our team at GitHub Security Lab discovered critical vulnerabilities in the DataHub platform! Check out our latest blog post to learn more about the security audit that helped to identify these vulnerabilities and keep your data safe:
1
23
44
Follow down the rabbit hole of an information leak on Android with the mysterious CVE-2022-25664 in the Qualcomm Adreno GPU
1
13
31
⭐#Panel alert! 💻Finding methods to make #security easy for developers + removing the disconnect🧑💻🧮+🛡️
💡Meet our panel for an insightful session : Xavier René-Corail, Marie Theresa Brosig, Santosh Yadav
✅For more updates➡️bit.ly/3wbN9Au
#NullconDE2023 #infosec
6
11
GHSL-2023-010_GHSL-2023-014: Denial of Service (DoS) and memory corruption in gss-ntlmssp - CVE-2023-25563, CVE-2023-25564, CVE-2023-25565, CVE-2023-25566, CVE-2023-25567
3
7
GHSL-2022-092: Physical memory access by untrusted app in Qualcomm Adreno GPU - CVE-2022-25664
19
37
GHSL-2022-128: Quadratic complexity algorithm in cmark - CVE-2023-22486
1
4
GHSL-2022-118: Out-of-bounds read in cmark-gfm - CVE-2023-22485
3
4
GHSL-2022-098: Quadratic complexity algorithm in cmark - CVE-2023-22484
1
3
GHSL-2022-088, GHSL-2022-089, GHSL-2022-090, GHSL-2022-091, GHSL-2022-099, GHSL-2022-109, GHSL-2022-110, GHSL-2022-111, GHSL-2022-120, GHSL-2022-126: Quadratic complexity algorithms in cmark-gfm - CVE-2023-22483
1
1
4
GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948
16
44
17
20
4
13
Next post is out covering getting started with and learning CodeQL goingbeyondgrep.com/posts/learning. One for Semgrep is coming next
2
13
49
In case you missed it, did it again. Bypassing OGNL sandboxes, this time for fun and charities!
14
34
Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post
1
93
204
GHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere - CVE-2022-23544, CVE-2022-23512
1
9
22
It turns out that the first "all Google" phone includes a non-Google bug. Join on his journey through reporting the bug, and the exploit used to gain arbitrary kernel code execution and root on a Pixel 6 from an Android app.
17
42
GHSL-2022-054: Use-after-free (UAF) in the Arm Mali Kernel driver - CVE-2022-38181
12
31
GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377
2
7
GHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726
3
11