Vulnerability intelligence

CVE-2024-4367 is a vulnerability in PDF.js, a JavaScript-based PDF viewer. It stems from a missing type check when handling fonts, specifically during glyph path compilation for Type 1 fonts. The issue occurs in the FontFaceObject.getPathGenerator method, where font matrix values from PDF dictionaries are not properly validated before being used in JavaScript code generation. Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the PDF.js context. This could enable malicious actors to perform actions such as spying on user activity, triggering unauthorized downloads (including file:// URLs), and leaking PDF file paths. Web applications that utilize PDF.js may be susceptible to stored Cross-Site Scripting (XSS) attacks. The vulnerability affects Firefox versions prior to 126, Firefox ESR versions earlier than 115.11, and Thunderbird versions before 115.11.

CVE-2025-43300 is an out-of-bounds write vulnerability that exists within Apple's Image I/O framework. The vulnerability can be triggered when a device processes a maliciously crafted image file, which can lead to memory corruption. Successful exploitation of this vulnerability can occur when a program writes data outside of an allocated memory buffer. This can result in the program crashing, data corruption, or potentially remote code execution. Apple has addressed this issue with improved bounds checking in multiple operating systems, including iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

CVE-2025-55746 is a vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. Specifically, versions 10.8.0 to before 11.9.3 are affected. The vulnerability lies in the file update mechanism, which allows unauthenticated attackers to modify existing files or upload new files with arbitrary content and extensions. These new files won't appear in the Directus UI. The issue has been patched in version 11.9.3. Attackers can exploit this vulnerability to modify existing files without updating their metadata or upload new files with arbitrary content and extensions. In certain configurations, such as those where servers serve files directly from the upload directory, attackers could upload a webshell, potentially leading to remote code execution. Attackers could also tamper with hosted documents by inserting malicious links to harvest credentials.

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.

CVE-2025-43520 is identified as a memory corruption issue, specifically a classic buffer overflow vulnerability, affecting multiple Apple operating systems. These include watchOS, iOS, iPadOS, macOS, visionOS, and tvOS. The vulnerability could potentially allow a malicious application to cause unexpected system termination or write to kernel memory. Apple has addressed this issue with improved memory handling, and fixes have been implemented in various updated versions of its operating systems, such as watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, and tvOS 26.1. This vulnerability has also been noted as part of the "DarkSword" exploit chain, which has been utilized by state-sponsored actors and spyware vendors.