ZEROPATH WALL OF FAME
Securing the world's code,
one vulnerability at a time
Every vulnerability listed here has been discovered and responsibly disclosed by ZeroPath. This represents just a fraction of our ongoing mission to make open source software more secure.
Vulnerabilities Fixed
In Disclosure Process
CVEs Assigned
Discovered Vulnerabilities
Each finding represents hours of research and responsible disclosure to protect users worldwide
Avahi Simple Protocol Server DoS
The Avahi Simple Protocol Server ignores the configured client limit and continues to accept unlimited connections, resulting in memory and file descriptor exhaustion. Unprivileged users can easily cause a denial of service that affects the entire mDNS/DNS-SD subsystem and related name resolution services.
django-allauth uses mutable provider attribute as UID
The provider handler uses preferred_username from Okta and NetIQ as the canonical UID instead of the stable sub claim. Because preferred_username is mutable and not globally unique, an attacker can change it to match another account and cause account takeover or incorrect account linking.
Tokens issued to disabled users due to missing account-state check
After resolving the user from device authorization data, the flow allows token minting without verifying required account state such as user.is_active. If an account was disabled after device authorization, tokens may still be issued unless downstream validators block it.
Notion provider marks email as verified without validation
The Notion provider extract_email_addresses handler sets verified=true and primary=true unconditionally. It does not check an email_verified flag or other evidence that Notion verified the address, enabling account linking or creation that bypasses normal email verification controls.
IDOR Security Vulnerability in SuperAGI
Broken authentication flaw enabling access to tens of thousands of customers' files including secrets, business documents, and health information via /api/resources/get/{resource_id}.
Local File Inclusion in Fonoster
A Local File Inclusion vulnerability was discovered in the Fonoster Voice Server, allowing access to system files via voice file paths due to incomplete path validation.
Unauthorized Access to Any User's Jobs in LibrePhotos
Access to other users' processing jobs due to missing authorization in job queue.
Token Refresh Vulnerability in LibrePhotos
Complete authentication bypass via improper token validation in the LibrePhotos project.
Unauthorized Conversation Deletion in RagFlow
Complete deletion of other users' chat history due to missing object-level authorization checks.
Unauthorized Canvas Deletion in RagFlow
Deletion of other users' visualization canvases due to insufficient IDOR protection on API endpoint.
Unauthorized Knowledge Base Access in RagFlow
Read access to other users' private knowledge bases due to missing tenant isolation in KB queries.
Unauthorized File Movement in RagFlow
Moving/deleting other users' uploaded files due to missing ACL checks in file operations.
Unauthorized Conversation Access in RagFlow
Reading other users' private conversations due to broken access control in chat retrieval.
Unauthorized API Key Removal in RagFlow
Removal of other users' API keys due to IDOR in key management endpoint.
Unauthorized Knowledge Base Enumeration in RagFlow
Enumeration of all private knowledge bases due to missing authentication in list endpoint.
Unauthorized Dialog Deletion in RagFlow
Mass deletion of other users' dialogs due to race condition in deletion endpoint.
Local File Inclusion in E2nest
A Local File Inclusion vulnerability was discovered in the E2nest project, allowing arbitrary file read via path traversal in model loading due to insufficient path normalization in config loading.
Remote Code Execution in Uptrain
A Remote Code Execution vulnerability via eval during project creation.
Command Injection in Clone-voice
System command execution via voice file metadata due to unescaped input in ffmpeg command.
File Upload and Path Traversal in LibrePhotos
Arbitrary file write via photo upload due to insufficient path sanitization.
Remote Code Execution in Monaco
A Remote Code Execution vulnerability was discovered in Hulu's Monaco project, allowing code execution via deserialization due to unsanitized data being passed into pickle.loads.
Unauthorized Redis Access in Monaco
Access to all Redis clusters administered by Monaco due to missing authentication in app_redis_api endpoint.
Directory Traversal in LogAI
Access to sensitive files via log paths due to broken path traversal protection in the Salesforce LogAI project.
Directory Traversal in DB-GPT
Access to database files via backup paths due to missing path normalization in the DB-GPT project.