Research archive

Every writeup and methodology note, grouped by area - 37 entries across cryptographic libraries, database internals, blockchain consensus, embedded firmware, and authorization layers.

37 writeups & notes · 6 research programs · severity P1–P4 · 8 Fireblocks MPC findings

A public collection of vulnerability-research writeups, methodology notes, and post-disclosure case studies from independent work on HackerOne and Bugcrowd programs. Each writeup leads with how the bug was reached, the source-reading and variant-hunting that generalizes, not just what it was.

Everything here respects coordinated disclosure: findings appear only after the program's window closed, the upstream patch shipped, or the same bug class was published elsewhere with a referenced CVE. No customer data was accessed; test artifacts were cleaned up after submission.

Web application / cloud platform

SSRF, authorization bypass, and platform-wide pattern findings.

SSRF	How I Found Two SSRF Vulnerabilities in a Major Cloud Platform's Image Pipeline Two SSRFs in the same platform via different code paths (webhook callbacks + image processor). The systemic pattern matters more than either finding.
Authz bypass	Missing Channel-Level Authorization in Shared Channel Invite/Uninvite API Allows Private Channel Data Exfiltration Mattermost shared-channel invite endpoint enforces system-level perms but not channel-level. Same bug class as CVE-2025-11777.

Aiven managed services

Postgres privilege escalation, sandbox bypass, and DoS across Aiven's managed data services.

DoS / stack overflow	Stack Overflow in JSONMergePatch Crashes Aiven Managed ClickHouse via Single SELECT Query Single `SELECT JSONMergePatch(...)` SIGSEGVs the managed instance. Crash payload is storable in shared tables.
DoS / data integrity	Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey Valkey replication stealth path bypasses listpack validation.
Info disclosure	ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey ASLR leak through replication metadata.
DoS / OOM	Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload Unbounded allocation in Dragonfly's stream RESTORE path.
DoS	Authenticated DoS: Karapace REST Proxy Crash via GZIP Compression Bomb in Kafka Messages Karapace REST proxy accepts gzip-compressed messages and decompresses without bounds.
Info disclosure	Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL MySQL binlog ACL bypass surfaces replication credentials.
Privilege escalation	Report: Privilege Boundary Violation via Subscription Ownership Escalation Postgres `CREATE SUBSCRIPTION` executes under `session_user=postgres`, escalating sandboxed user to superuser context.
Privilege escalation	Report: Superuser Database Connection via SECURITY DEFINER dblink Chain SECURITY DEFINER + dblink loopback chain reaches an unrestricted superuser session.
Privilege escalation	Report: Unqualified `parse_ident()` in SECURITY DEFINER Function (CVE-2025-31480 Variant) `parse_ident` without schema qualification inside SECDEF: variant of CVE-2025-31480 territory.
Sandbox bypass	Report: aiven_gatekeeper Bypass via Implicitly Castable Argument Types `aiven_gatekeeper` extension bypassed via implicit-cast-driven shadow functions.
Code execution	Report: Autovacuum Arbitrary Code Execution via Expression Index Shadow Functions Autovacuum executes attacker-defined function under the SECURITY_RESTRICTED bypass path.
Info disclosure	Project Name Enumeration 403 vs 404 oracle on `/v1/project/<name>` enumerates the entire managed-services customer base.
Info disclosure	Email Enumeration Timing `/v1/userauth` timing differential distinguishes registered vs unregistered emails.
IDOR	Sql Query Optimizer Idor Cross-project access to SQL optimizer artifacts via predictable object IDs.

Blockchain / consensus

Consensus-halting and unauthenticated-DoS findings against an IBFT/QBFT chain.

DoS / unauth	CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the node. Targeting all IBFT validators halts the entire chain.
Consensus stall	QBFT HasBadProposal Quorum Inconsistency, Consensus Liveness Violation QBFT's `HasBadProposal` check is symmetric across the round, one prepared bad proposal halts the round for every validator.

Embedded / camera firmware (AXIS OS)

SSRF, validation gaps, and disclosure in AXIS camera firmware CGIs.

Info disclosure	SNMP Community String Disclosure to Viewer-Privileged Users via DeviceConfig1 API SNMP community strings returned in the viewer-role config endpoint.
SSRF	Server-Side Request Forgery via pingtest.cgi Missing Address Validation `pingtest.cgi` skips the camera's own `validateaddr` helper.
Validation gap	Missing Input Validation in dnsupdate.cgi Delete Path `dnsupdate.cgi` delete path skips the input validation applied to add.
SSRF	SSRF via httptest.cgi IPv6-Mapped Loopback Address Bypass IPv6-mapped IPv4 (`::ffff:127.0.0.1`) bypasses the IPv4-only loopback filter on `httptest.cgi`.
Unauth access	Unauthenticated RTSP Video Stream Access via ONVIF WebSocket Endpoint ONVIF RTSP-over-WebSocket endpoint accessible without authentication.

Cryptography / MPC (Fireblocks open-source MPC library)

Eight findings in the open-source Fireblocks MPC-CMP implementation, P1-P4.

Overview	Fireblocks MPC-Lib Audit Summary Eight findings against the open-source Fireblocks MPC-CMP implementation, P1-P4.
Crypto soundness	Finding 01: Ring Pedersen Accepts Degenerate Parameters (t=1, s=1) Ring-Pedersen parameter generation accepts degenerate values.
Memory safety	Finding 02: Heap Buffer Overflow in Signing Data Destructors Heap overflow in destructor path.
Crypto soundness	Finding 03: MTA Batch Ring Pedersen Verification Uses 8-bit Randomness MtA batch verification uses 8 bits of randomness, allowing forged batches with non-negligible probability.
Crypto soundness	Finding 04: Fiat-Shamir Challenge Truncates proof.A in MTA Range ZKP Fiat-Shamir transcript truncation in MtA.
Memory safety / crypto	Finding 05: Integer Overflow in Quadratic ZKP Deserialization Integer overflow during quadratic-residue ZKP deserialization.
Memory safety	Finding 06: Unbounded alloca() in generate_basis → Stack Overflow Unbounded `alloca()` on attacker-sized range-proof input stack-overflows the verifier.
Crypto soundness	Finding 07: Missing Signature Verification in Offline ECDSA Offline-ECDSA path accepts unverified signature shares.
Crypto soundness	Finding 08: Asymmetric EdDSA Uses Unsalted Commitment EdDSA commitment uses unsalted SHA-256, enabling rainbow-table-style precomputation against fixed nonce structures.

Methodology

How the bugs were reached, recon, variant hunting, root-cause walkthroughs, and the dead ends.

Methodology	sequoia-pgp hunt, iteration 1 (recon) Recon and variant-seed inventory against `sequoia-openpgp` based on its historical RUSTSEC advisories.
Methodology	sequoia-pgp hunt, iteration 2 (stream.rs read-after-verify-fail) Iteration 2: parser audit and candidate ranking.
Methodology	sequoia-pgp hunt, iteration 3 (RUSTSEC-2024-0345 variant audit) Iteration 3: results and what would not be a finding.
Methodology	openpgpjs-v6 hunt, iteration 1 Root-cause walk-through of CVE-2025-47934 (signature-verification bypass via `msg.packets` mutation) and a variant search against the v6.2.0 compression refactor.
Methodology	Live audit log, started 2026-04-17 00:10 UTC Top-to-bottom audit log of systemd-coredumpd and systemd-resolved DNS parser. No findings; the writeup is the methodology and the dead ends.

HackerOne: artemispwns1 · Bugcrowd Researcher · Source: github.com/zionsworking/security-research-notebook