https://zionboggan.com/ Vulnerability research, detection engineering, and applied cryptography. en-us https://zionboggan.com/featured-finding/ https://zionboggan.com/featured-finding/ Cryptography / MPC Sat, 18 Apr 2026 09:00:00 +0000 A widely-deployed open-source crypto library enforces an RFC 5280 CA path-length constraint only when a separate extension is present, so a CA forbidden from delegating can mint rogue sub-CAs the library still trusts. Includes an interactive proof you can run in the browser. https://zionboggan.com/security-research-notebook/mattermost-shared-channel-authz-bypass/ https://zionboggan.com/security-research-notebook/mattermost-shared-channel-authz-bypass/ Web & Cloud Platform Sat, 18 Apr 2026 09:00:00 +0000 Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777. https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-3/ https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-3/ Methodology & Notes Fri, 17 Apr 2026 09:00:00 +0000 Iteration 3: results and what would not be a finding. https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-2/ https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-2/ Methodology & Notes Fri, 17 Apr 2026 09:00:00 +0000 Iteration 2: parser audit and candidate ranking. https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-1/ https://zionboggan.com/security-research-notebook/sequoia-pgp-variant-hunting-1/ Methodology & Notes Fri, 17 Apr 2026 09:00:00 +0000 Recon and variant-seed inventory against sequoia-openpgp based on its historical RUSTSEC advisories. https://zionboggan.com/security-research-notebook/openpgpjs-cve-2025-47934-rootcause/ https://zionboggan.com/security-research-notebook/openpgpjs-cve-2025-47934-rootcause/ Methodology & Notes Fri, 17 Apr 2026 09:00:00 +0000 Root-cause walk-through of CVE-2025-47934 (signature-verification bypass via msg.packets mutation) and a variant search against the v6.2.0 compression refactor. https://zionboggan.com/security-research-notebook/systemd-coredump-resolved-audit-log/ https://zionboggan.com/security-research-notebook/systemd-coredump-resolved-audit-log/ Methodology & Notes Fri, 17 Apr 2026 09:00:00 +0000 Top-to-bottom audit log of systemd-coredumpd and systemd-resolved DNS parser. No findings; the writeup is the methodology and the dead ends. https://zionboggan.com/security-research-notebook/qbft-hasbadproposal-consensus-stall/ https://zionboggan.com/security-research-notebook/qbft-hasbadproposal-consensus-stall/ Blockchain / Consensus Thu, 16 Apr 2026 09:00:00 +0000 QBFT's HasBadProposal check is symmetric across the round, one prepared bad proposal halts the round for every validator. https://zionboggan.com/security-research-notebook/cve-2024-32972-getblockheaders-underflow/ https://zionboggan.com/security-research-notebook/cve-2024-32972-getblockheaders-underflow/ Blockchain / Consensus Thu, 16 Apr 2026 09:00:00 +0000 N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the node. Targeting all IBFT validators halts the entire chain. https://zionboggan.com/security-research-notebook/valkey-replication-stealth/ https://zionboggan.com/security-research-notebook/valkey-replication-stealth/ Databases & Data Services Wed, 15 Apr 2026 09:00:00 +0000 Valkey replication stealth path bypasses listpack validation. https://zionboggan.com/security-research-notebook/mysql-credential-exposure/ https://zionboggan.com/security-research-notebook/mysql-credential-exposure/ Databases & Data Services Wed, 15 Apr 2026 09:00:00 +0000 MySQL binlog ACL bypass surfaces replication credentials. https://zionboggan.com/security-research-notebook/pg-gatekeeper-bypass-shadow-functions/ https://zionboggan.com/security-research-notebook/pg-gatekeeper-bypass-shadow-functions/ Databases & Data Services Tue, 14 Apr 2026 09:00:00 +0000 aiven_gatekeeper extension bypassed via implicit-cast-driven shadow functions. https://zionboggan.com/security-research-notebook/pg-unqualified-parse-ident-secdef/ https://zionboggan.com/security-research-notebook/pg-unqualified-parse-ident-secdef/ Databases & Data Services Tue, 14 Apr 2026 09:00:00 +0000 parse_ident without schema qualification inside SECDEF: variant of CVE-2025-31480 territory. https://zionboggan.com/security-research-notebook/pg-autovacuum-code-execution/ https://zionboggan.com/security-research-notebook/pg-autovacuum-code-execution/ Databases & Data Services Tue, 14 Apr 2026 09:00:00 +0000 Autovacuum executes attacker-defined function under the SECURITY_RESTRICTED bypass path. https://zionboggan.com/security-research-notebook/valkey-aslr-leak/ https://zionboggan.com/security-research-notebook/valkey-aslr-leak/ Databases & Data Services Tue, 14 Apr 2026 09:00:00 +0000 ASLR leak through replication metadata. https://zionboggan.com/security-research-notebook/onvif-rtsp-websocket-unauth/ https://zionboggan.com/security-research-notebook/onvif-rtsp-websocket-unauth/ Embedded / Firmware Mon, 13 Apr 2026 09:00:00 +0000 ONVIF RTSP-over-WebSocket endpoint accessible without authentication. https://zionboggan.com/security-research-notebook/httptest-ipv6-loopback-ssrf/ https://zionboggan.com/security-research-notebook/httptest-ipv6-loopback-ssrf/ Embedded / Firmware Mon, 13 Apr 2026 09:00:00 +0000 IPv6-mapped IPv4 (::ffff:127.0.0.1) bypasses the IPv4-only loopback filter on httptest.cgi. https://zionboggan.com/security-research-notebook/pg-secdef-dblink-superuser-chain/ https://zionboggan.com/security-research-notebook/pg-secdef-dblink-superuser-chain/ Databases & Data Services Mon, 13 Apr 2026 09:00:00 +0000 SECURITY DEFINER + dblink loopback chain reaches an unrestricted superuser session. https://zionboggan.com/security-research-notebook/pg-subscription-ownership-escalation/ https://zionboggan.com/security-research-notebook/pg-subscription-ownership-escalation/ Databases & Data Services Mon, 13 Apr 2026 09:00:00 +0000 Postgres CREATE SUBSCRIPTION executes under session_user=postgres, escalating sandboxed user to superuser context. https://zionboggan.com/security-research-notebook/dnsupdate-delete-validation-gap/ https://zionboggan.com/security-research-notebook/dnsupdate-delete-validation-gap/ Embedded / Firmware Mon, 13 Apr 2026 09:00:00 +0000 dnsupdate.cgi delete path skips the input validation applied to add. https://zionboggan.com/security-research-notebook/kafka-karapace-gzip-bomb-dos/ https://zionboggan.com/security-research-notebook/kafka-karapace-gzip-bomb-dos/ Databases & Data Services Mon, 13 Apr 2026 09:00:00 +0000 Karapace REST proxy accepts gzip-compressed messages and decompresses without bounds. https://zionboggan.com/security-research-notebook/dragonfly-stream-restore-oom/ https://zionboggan.com/security-research-notebook/dragonfly-stream-restore-oom/ Databases & Data Services Mon, 13 Apr 2026 09:00:00 +0000 Unbounded allocation in Dragonfly's stream RESTORE path. https://zionboggan.com/security-research-notebook/aiven-clickhouse-jsonmergepatch-stack-overflow/ https://zionboggan.com/security-research-notebook/aiven-clickhouse-jsonmergepatch-stack-overflow/ Databases & Data Services Sun, 12 Apr 2026 09:00:00 +0000 Single SELECT JSONMergePatch(...) SIGSEGVs the managed instance. Crash payload is storable in shared tables. https://zionboggan.com/security-research-notebook/pingtest-ssrf-missing-validateaddr/ https://zionboggan.com/security-research-notebook/pingtest-ssrf-missing-validateaddr/ Embedded / Firmware Sun, 12 Apr 2026 09:00:00 +0000 pingtest.cgi skips the camera's own validateaddr helper. https://zionboggan.com/security-research-notebook/snmp-community-string-viewer-disclosure/ https://zionboggan.com/security-research-notebook/snmp-community-string-viewer-disclosure/ Embedded / Firmware Sun, 12 Apr 2026 09:00:00 +0000 SNMP community strings returned in the viewer-role config endpoint. https://zionboggan.com/security-research-notebook/00-SUMMARY/ https://zionboggan.com/security-research-notebook/00-SUMMARY/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Eight findings against the open-source Fireblocks MPC-CMP implementation, P1-P4. https://zionboggan.com/security-research-notebook/08-eddsa-unsalted-commitment-P3/ https://zionboggan.com/security-research-notebook/08-eddsa-unsalted-commitment-P3/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 EdDSA commitment uses unsalted SHA-256, enabling rainbow-table-style precomputation against fixed nonce structures. https://zionboggan.com/security-research-notebook/07-offline-ecdsa-no-sig-verify-P3/ https://zionboggan.com/security-research-notebook/07-offline-ecdsa-no-sig-verify-P3/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Offline-ECDSA path accepts unverified signature shares. https://zionboggan.com/security-research-notebook/06-alloca-stack-overflow-range-proofs-P3/ https://zionboggan.com/security-research-notebook/06-alloca-stack-overflow-range-proofs-P3/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Unbounded alloca() on attacker-sized range-proof input stack-overflows the verifier. https://zionboggan.com/security-research-notebook/05-integer-overflow-quadratic-zkp-deser-P3/ https://zionboggan.com/security-research-notebook/05-integer-overflow-quadratic-zkp-deser-P3/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Integer overflow during quadratic-residue ZKP deserialization. https://zionboggan.com/security-research-notebook/04-fiat-shamir-truncation-mta-P3/ https://zionboggan.com/security-research-notebook/04-fiat-shamir-truncation-mta-P3/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Fiat-Shamir transcript truncation in MtA. https://zionboggan.com/security-research-notebook/03-mta-batch-verification-8bit-randomness-P2/ https://zionboggan.com/security-research-notebook/03-mta-batch-verification-8bit-randomness-P2/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 MtA batch verification uses 8 bits of randomness, allowing forged batches with non-negligible probability. https://zionboggan.com/security-research-notebook/02-destructor-heap-overflow-P2/ https://zionboggan.com/security-research-notebook/02-destructor-heap-overflow-P2/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Heap overflow in destructor path. https://zionboggan.com/security-research-notebook/01-ring-pedersen-degenerate-params-P4/ https://zionboggan.com/security-research-notebook/01-ring-pedersen-degenerate-params-P4/ Cryptography / MPC Sat, 11 Apr 2026 09:00:00 +0000 Ring-Pedersen parameter generation accepts degenerate values. https://zionboggan.com/security-research-notebook/ssrf-via-image-pipeline/ https://zionboggan.com/security-research-notebook/ssrf-via-image-pipeline/ Web & Cloud Platform Thu, 09 Apr 2026 09:00:00 +0000 Two SSRFs in the same platform via different code paths (webhook callbacks + image processor). The systemic pattern matters more than either finding. https://zionboggan.com/security-research-notebook/sql-query-optimizer-idor/ https://zionboggan.com/security-research-notebook/sql-query-optimizer-idor/ Databases & Data Services Wed, 08 Apr 2026 09:00:00 +0000 Cross-project access to SQL optimizer artifacts via predictable object IDs. https://zionboggan.com/security-research-notebook/project-name-enumeration/ https://zionboggan.com/security-research-notebook/project-name-enumeration/ Databases & Data Services Tue, 07 Apr 2026 09:00:00 +0000 403 vs 404 oracle on /v1/project/<name> enumerates the entire managed-services customer base. https://zionboggan.com/security-research-notebook/email-enumeration-timing/ https://zionboggan.com/security-research-notebook/email-enumeration-timing/ Databases & Data Services Tue, 07 Apr 2026 09:00:00 +0000 /v1/userauth timing differential distinguishes registered vs unregistered emails.