Several open source projects disclosed serious vulnerabilities affecting developer and infrastructure tooling, including remote code execution, SQL injection, server-side request forgery, prompt-driven query injection, and path traversal. Coder Workspace Agent patched GHSA-QRWJ-VH9X-GW5V, a cross-agent SSRF flaw that let an authenticated attacker controlling one workspace agent abuse HTTP 307/308 redirects to replay privileged requests to another agent, enabling cross-tenant file access, file writes, and command execution; fixes were released in versions v2.34.4, v2.33.10, v2.32.9, and v2.29.19 ESR. Coolify disclosed a critical authenticated command injection issue tied to unsafe handling of deployment fields such as dockerfile_location, allowing RCE and secrets exposure through deployment logs, while OpenRemote fixed GHSA-cgfv-jrfp-2r7v, an authenticated SQL injection bug in datapoint crosstab export that could expose other tenants’ data, Keycloak configuration, and encrypted credentials.
Additional disclosures affected AI and package-management components. Langroid fixed a prompt-injection-driven flaw in Neo4jChatAgent that executed LLM-generated Cypher without validation, allowing unauthorized graph operations and possible OS-level impact when dangerous Neo4j procedures were enabled; the issue was resolved in version 0.65.5 with new safety controls that were also extended to ArangoChatAgent. pnpm also reported a path traversal weakness in configDependencies processing from pnpm-lock.yaml, where a malicious repository could force symlink creation outside node_modules/.pnpm-config even with --ignore-scripts, creating a filesystem write primitive within or potentially beyond the project directory.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
A security fix was merged for Conversation Guard's port_forward functionality after maintainers found user-controlled arguments reached kubectl via spawn() without assertSafeArgv validation. The patch added argument validation, preserved InvalidParams error handling, and introduced regression tests for a proof of concept that could redirect kubectl to an attacker-controlled API server and expose the operator's bearer token.
Coder fixed a high-severity SSH configuration injection vulnerability in `coder config-ssh` where server-supplied values such as `HostnameSuffix` and `SSHConfigOptions` could inject arbitrary directives into a user's `~/.ssh/config` due to insufficient sanitization. The issue was addressed by validating those fields against a strict character set in patched releases 2.29.17, 2.32.7, 2.33.8, and 2.34.2.
Coder addressed a high-severity authorization flaw in the tailnet coordinator that allowed route hijacking because agent-supplied AllowedIPs were not validated against the authenticating agent's UUID before being forwarded to tunnel peers. The issue affected multiple release lines and was fixed by adding AllowedIPs validation in patched releases.
Coder fixed a high-severity authorization flaw that allowed cross-workspace agent reassignment because UpsertWorkspaceApp could overwrite an existing app's agent_id on primary-key conflict without verifying workspace ownership. The issue was patched in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 by validating ownership of existing workspace_apps rows and rejecting cross-workspace rebinding.
OpenRemote addressed an authenticated SQL injection vulnerability in the Manager datapoint crosstab export feature in version 1.26.0. The fix replaced user-controlled SQL identifiers with synthetic server-side column keys and moved friendly CSV header generation out of the database execution context.
Coder fixed a high-severity cross-agent server-side request forgery and remote code execution issue in Workspace Agent by disabling redirect following and pinning the destination agent address. Patched releases were issued as v2.34.4, v2.33.10, v2.32.9, and v2.29.19 ESR.
A GitHub advisory disclosed a critical authenticated remote command injection vulnerability in Coolify that can lead to remote code execution and secrets exfiltration through deployment logs. The report included proof-of-concept exploit code and identified unsafe handling of fields such as dockerfile_location and pre_deployment_command.
A GitHub advisory described a path traversal vulnerability in pnpm's handling of configDependencies entries from the env lockfile section of pnpm-lock.yaml. The issue can let a malicious repository cause symlink creation outside node_modules/.pnpm-config during install, including when run with --ignore-scripts.
Langroid resolved a prompt-injection-driven Cypher execution flaw in Neo4jChatAgent in version 0.65.5 by adding allow_dangerous_operations controls and validation. Similar protections were also applied to ArangoChatAgent.
A GitHub advisory disclosed a critical Langroid vulnerability in TableChatAgent and VectorStore where LLM-generated tool messages evaluated with Python eval() could escape the intended sandbox and achieve unauthenticated remote code execution. The advisory described access to dangerous built-ins via incomplete eval() mitigation and included a proof of concept that executed host commands.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourcegithub.com
Open sourcecvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.