All posts

Newest first
disclosure

Filtered on every path but one: a row-permission bypass in Hasura's computed fields

A Hasura computed field returning SETOF a table inherits that table's row permissions on selection, relationships, and aggregations. On one path, a where-clause over the field, the filter is dropped, turning it into a boolean oracle for hidden rows.

Jun 29, 2026 · 11 min read
disclosure

Privileged and unqualified: a tenant-to-pod RCE in StackGres's metrics exporter

StackGres's bundled metrics exporter opens superuser sessions into every tenant database and runs unqualified catalog SQL with no search_path pinning, so a tenant database owner can shadow a function and reach OS command execution in the primary Postgres pod.

Jun 26, 2026 · 9 min read
disclosure

Checked on state, skipped on diff: a presence authorization gap in Supabase Realtime

Supabase Realtime enforces a presence.read policy on the initial presence snapshot but not on the ongoing presence_diff fan-out, so a member allowed to broadcast but denied presence can still read every other member's presence metadata on a private channel.

Jun 25, 2026 · 6 min read
disclosure

Bounded against the wrong buffer: a heap over-read in 7-Zip's ext handler

7-Zip parses ext2/3/4 disk images by content. One attacker-controlled superblock field drives the inode-bitmap scan past a fixed-size buffer: a heap out-of-bounds read that crashes the process the moment an untrusted image is listed or extracted.

Jun 25, 2026 · 6 min read
disclosure

Guarded on read, unguarded on write: an attacker-controlled heap overflow in GraphicsMagick's PCD decoder

GraphicsMagick ported ImageMagick's out-of-bounds read fix for the PCD decoder but not the write-side bound that shipped alongside it, leaving an attacker-controlled heap overflow in DecodeImage: the un-ported other half of the same hardening.

Jun 24, 2026 · 9 min read
case-study

Minting wallet money from the open internet

A consumer fintech asked Cipher to extend a review into its infrastructure. Modeling the wallet's request flow end to end surfaced an internal money-crediting endpoint reachable, unauthenticated, from the open internet (proven with a reverted credit).

Jun 22, 2026 · 5 min read
disclosure

Bound on revoke, unbound on redemption: an OAuth client-binding flaw in ZITADEL

ZITADEL's OAuth token endpoint authenticated the calling client but never checked that the grant it was redeeming had been issued to that client. The same binding check already existed on the revoke path. One missing invariant, spanning three grant types and token exchange.

Jun 17, 2026 · 8 min read
disclosure

Vim security research: memory-safety and command-injection findings

Cipher's ongoing security research into Vim: memory-safety bugs in spell-file, soundfolding, text-property, and libsodium-decryption handling, plus command-injection and code-execution flaws in netrw and C omni-completion, all reported upstream and fixed.

Jun 16, 2026 · 8 min read
disclosure

A pre-auth crash in the 5G core: out-of-bounds read in Open5GS

Cipher reported a pre-authentication out-of-bounds read in Open5GS, the open-source 5G core. One malformed NAS message reaches the AMF before authentication and crashes it, taking service down for every connected subscriber.

Jun 5, 2026 · 4 min read
case-study

One auth flaw to full payout control: chaining five bugs in a payments platform

A field report from a cross-border payments engagement. Five findings, each a routine medium on its own, chain from an anonymous Internet request to direct money movement. The work was reading them together.

May 8, 2026 · 9 min read