It's always a good day when we remember that custom regex filters and hardcoded default secrets are the load-bearing pillars of the internet.
๐ฅ Regex Strikes Again
Someone thought writing custom IP blocklists with regular expressions was a good idea, and now AVideo is bleeding cloud credentials. The unauthenticated LiveLinks proxy tries to block local metadata queries by matching IPv4 strings like `169.254.x.x` and standard IPv6 loopbacks. The bypass? Just feed it an IPv4-mapped IPv6 address like `::ffff:169.254.169.254`. Since the custom regex ignores mapped prefixes entirely, the request sails right through to the AWS metadata service.
If you are running this in an AWS environment with IMDSv1 still enabled, this drops your temporary IAM role credentials directly into an attacker's lap.
- Force IMDSv2 across your AWS accounts immediately so the metadata service requires a strict session token.
- Stop writing custom IP filters and rely on built-in native language flags for dropping private ranges.
๐ Open Book Pagination
Ory Kratos just reminded everyone why default encryption keys are a terrible idea. They shipped their `ListCourierMessages` Admin API with a publicly known default secret for signing pagination tokens. Because the default secret is literal public knowledge, attackers do not have to leak or brute-force a single key to own your database. They just forge a malicious token offline, sign it with the default key, and fire it at your Admin API to execute arbitrary SQL injection.
If your deployment is running on the default config with an exposed Admin API, an attacker has full control over your database queries.
- Do not wait around for a software patch. Generate a random 32-byte string and drop it into your `secrets.pagination` configuration right now.