Cutting-edge security research by
Sonar to educate the world about code security across all software.
We're also at @[email protected] 𦣠and @Sonar_Research π¦
SonarResearch
Loading...
Can you trust the trust dialog?
We discovered that running Claude Code in malicious folders could have executed system commands before the trust dialog even appears! Learn about the details in our latest blog post:
www.sonarsource.com/blog/claude-...
#appsec #security #vulnerability
Attending #Insomnihack this week? Don't miss our researcher @pspaul95.bsky.social breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
Our team is hiring! If you are passionate about finding bugs in code, exploiting them in creative ways, and sharing your findings on our blog, apply here: jobs.lever.co/sonarsource/...
ππ¦ GitHub Actions offer powerful automation capabilities for CI/CD, but they're not immune to attacks.
Take a look at how we tackle this risk with SonarQube Cloud by diving into real-world vulnerabilities.
www.sonarsource.com/blog/securin...
#appsec #security #vulnerability
Using SonarQube to solve a CTF challenge? Done! β
Learn how we detected a 0-day vulnerability during #KalmarCTF, making us first to solve the challenge! From Zip Slip to RCE, using lazy class loading:
www.sonarsource.com/blog/code-se...
#appsec #CTF #vulnerability
From bit flip to RCE in Ollama! π¦
Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:
www.sonarsource.com/blog/ollama-...
#security #vulnerability #llm #ai
ποΈβοΈTaking a note on security: our latest blog post focuses on Go vulnerabilities, including Arbitrary File Write, XSS, and Misconfiguration. Showcasing our new support for the language in SonarQube Cloud!
www.sonarsource.com/blog/securin...
#appsec #security #vulnerability
SonarResearch
Shellcode execution as a service!
To exploit an argument injection in Jellyfin, we searched and found a gadget in the .NET runtime to turn file writes into code execution. Learn about the bug and this new technique in our blog post:
www.sonarsource.com/blog/jellyfi...
#appsec #vulnerability
π± 1-click RCE in the YTDLnis Android app!
On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:
www.sonarsource.com/blog/ytdlnis...
#appsec #security #vulnerability
π§ A fixed vulnerability that comes back to life?
This could have happened in GitHub Actions until yesterday! Learn how attackers could have exploited seemingly fixed workflow vulnerabilities:
www.sonarsource.com/blog/zombie-...
#appsec #security #vulnerability
www.sonarsource.com
SonarResearch
www.sonarsource.com
Explore a Jellyfin remote code execution flaw where inconsistent validation enables FFmpeg argument injection and unauthenticated code execution.
Discover a vulnerability our researchers found in the Android app YTDLnis, allowing attackers to execute code on victim devices.
www.sonarsource.com
SonarResearch
SonarResearch
SonarResearch
SonarResearch
SonarResearch
SonarResearch
SonarResearch
www.sonarsource.com
SonarResearch
This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution th...
We discovered different ways an untrusted folder can execute arbitrary code in Claude Code before the user is prompted with the trust dialog, allowing for potential compromise when cloning untrusted p...
www.sonarsource.com
Who is Sonar? Sonar helps prevent code quality and code security issues from reaching production, amplifies developers' productivity in concert with AI assistants, and improves the developer experienc...
Take a deep dive into some vulnerabilities in Go applications and understand how SonarQube Cloud helps developers detect and mitigate them during the development cycle.
