Security Export: Issues, Dependabot & CodeScan Alerts#152
Conversation
|
PR Summary: Add repository security export: new issues documentation, Dependabot alerts, and CodeQL (CodeScan) alerts under issues/.
|
| @@ -0,0 +1,37 @@ | |||
| # Repository: LazyOwn | |||
|
|
|||
| **Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns. | |||
There was a problem hiding this comment.
[CRITICAL_BUG] The repository description explicitly lists rootkits, malleable implants and self-configuring backdoors. Publishing this text in a public repository risks legal/ethical exposure, automated takedown, and draws attention from security teams and hosting platforms. Remove or sanitize this wording (move to a private tracker or internal documentation), restrict this snapshot to private access, and add an access-control policy before publishing such content.
# Repository: LazyOwn
**Description:** LazyOwn RedTeam/APT Framework provides an AI-powered C&C and related red-team capabilities for Windows, Linux, and macOS. It is intended for authorized security testing, training, and research by qualified professionals operating under appropriate legal agreements. With its Web interface and powerful Console Client, it can support automated red-team and APT-style campaign simulations.| - The initial background thread (or async task( for heartbeat management is only launched if a client passes authentication in the `connect` handler. | ||
| - The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running. |
There was a problem hiding this comment.
[NITPICK] Fix typos and stray punctuation in the patch description: change 'async task(' to 'async task)', 'severs' to 'servers', and 'heatbeat' to 'heartbeat'. Also rephrase the sentences for clarity (e.g. 'The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the connect handler.').
### Patches
Version 4.13.2 addresses this issue as follows:
- The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heartbeat thread (or async task) per client at a given point in time. Out-of-sequence PONG packets are now discarded when an active heartbeat thread is already running.|
Reviewed up to commit:e5e157e02658039995ce0bf07e7b1bba03b48668 Additional SuggestionOthers- Dependabot alerts describe high-severity DoS vectors in python-engineio / python-socketio (alerts #45-#47). Action: upgrade to the patched versions cited (engineio -> 4.13.2, socketio -> 5.16.2 or later), and harden the server: enforce maximum payload sizes, gate binary attachments behind authentication, ensure underlying WebSocket/ASGI layers enforce limits, and add CI dependency checks to prevent regressions. If you cannot upgrade immediately, mitigate by restricting access and limiting message sizes at transport layer.# Dependabot Alert #45: python-engineio
- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48809
- **Created:** 2026-06-29T09:59:20Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/45
## Summary
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced. Upgrade to version **4.13.2 or later** and enforce transport-level limits.
## Recommended Actions
- **Upgrade:**
- Bump `python-engineio` to `>=4.13.2`.
- Bump `python-socketio` to `>=5.16.2`.
- **Server Hardening (application code, not this export repo):**
- Enforce max payload/body size at the HTTP/ASGI gateway.
- Configure WebSocket servers (e.g., Aiohttp/Uvicorn) with strict `max_size`/payload limits.
- Only accept binary packets from authenticated clients.
- On disconnect, clear any partial binary messages from memory.
- **CI/CD:**
- Add a dependency policy file (e.g., `requirements-security.txt`) with minimal safe versions.
- Add a CI job that fails on known vulnerable versions of `python-engineio` / `python-socketio`.
## Description
### Impact
There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:
- POST requests, when using ASGI with the long polling transport
- WebSocket messages, when using Aiohttp with the WebSocket transport
### Patches
Version 4.13.2 addresses this issue as follows:
- ASGI servers now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio. |
Automated security export generated on 20260630_213240.
This PR adds a snapshot under
issues/with:issue_<n>.mdissues/dependabot/issues/codescan/issues/README.mdEach run replaces this branch (and closes any previous PR using the same head), so only the latest snapshot is open at any time.
Generated by
security_issue_progressive.sh.