Skip to content

Security Export: Issues, Dependabot & CodeScan Alerts#157

Open
grisuno wants to merge 1 commit into
mainfrom
security-export
Open

Security Export: Issues, Dependabot & CodeScan Alerts#157
grisuno wants to merge 1 commit into
mainfrom
security-export

Conversation

@grisuno

@grisuno grisuno commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Automated security export generated on 20260703_000550.

This PR adds a snapshot under issues/ with:

  • All GitHub issues (open + closed) as issue_<n>.md
  • Open Dependabot alerts under issues/dependabot/
  • Open Code Scanning alerts under issues/codescan/
  • Index in issues/README.md

Each run replaces this branch (and closes any previous PR using the same head), so only the latest snapshot is open at any time.

Generated by security_issue_progressive.sh.

@pantoaibot

pantoaibot Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Summary:

Security export added: new issues index plus Dependabot and CodeQL alert details.

Reviewed by Panto AI

Comment thread issues/README.md
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 803 |
| 🟢 Open Issues | 1 |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[VALIDATION] The "🟢 Open Issues | 1" metric is inconsistent with the Issues list (all four listed issues are closed). Regenerate or compute counts from the fresh snapshot (count files with state: open) to avoid incorrect/misleading status values.

| Metric | Value |
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones | 803 |
| 🟢 Open Issues | 0 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |

Comment thread issues/README.md
@@ -0,0 +1,37 @@
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] The repository description (line 3) explicitly promotes offensive/dual-use capabilities (RedTeam/APT Framework, rootkits, backdoors). Publishing this text in a public snapshot may violate platform policies and attract legal/abuse scrutiny. Consider removing or softening the description, adding an access/disclaimer, or restricting this snapshot to an internal/private location.

**Description:** LazyOwn is a security testing and red team framework intended for authorized assessment and research in controlled environments. It provides an AI-assisted command-and-control interface, cross-platform agents, and automation features to help security teams evaluate and improve their defenses. Use of this tool must comply with all applicable laws, terms of service, and organizational policies.

Comment thread issues/README.md
| Metric | Value |
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 803 |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Removing or avoiding dynamic telemetry (e.g., "Clones (last 14 days) | 803") in a static snapshot will reduce stale/misleading data and prevent accidental exposure of usage telemetry. If needed, indicate a timestamp and provenance for these metrics.

| Metric | Value (as of 2026-07-03) |
|--------|--------------------------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 803 |
| 🟢 Open Issues | 0 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |

### Patches
Version 4.13.2 addresses this issue as follows:

- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NITPICK] Typo: "ASGI severs now only..." → change to "ASGI servers now only..."

- ASGI servers now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.

Comment thread issues/issue_84.md
---

**Describe the bug**
When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in /home/USER/LazyOwn/sessions/logs/command_/home/USER/LazyOwn/modules/lazynmap.shoutputBigBang.htb.txt

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL_BUG] The report exposes absolute local filesystem paths (/home/USER/...), which can leak host-specific layout or usernames. Sanitize or redact local paths before committing snapshots (e.g., use placeholders like <REPO_ROOT>/sessions/...).

11  When executing the `run lazynmap` command, an error is generated indicating that `No such file or directory` is present in <REPO_ROOT>/sessions/logs/command_<REPO_ROOT>/modules/lazynmap.shoutputBigBang.htb.txt

@pantoaibot

pantoaibot Bot commented Jul 3, 2026

Copy link
Copy Markdown

Reviewed up to commit:b8c8ea4b734d5d8cc9c66fa7ebf893afc7f4b32e

Additional Suggestion
Others - Several files include the exact vulnerability rule names and detailed descriptions in filenames and headings (e.g., issues/codescan/* and the comments in issue_16.md/issue_17.md warning about exposing rule names). Exposing rule names and detailed remediation text in public artifacts may aid attackers. For public snapshots, redact or generalize rule names in filenames/headings and provide details only to authorized audiences or via links to authenticated trackers.
# Repository: LazyOwn

**Description:** LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Windows/Linux/Mac OSX, and self-configuring backdoors. With its Web interface and powerful Console Client, it is the best combination for your Autonomous RedTeam/APT campaigns.

| Metric | Value |
|--------|-------|
| ⭐ Stars | 213 |
| 📥 Clones (last 14 days) | 803 |
| 🟢 Open Issues | 1 |
| 📋 Total Issues | 4 |
| 🛡 Dependabot Open Alerts | 3 |
| 🔍 CodeScan Open Alerts | 10 |

## Issues
- [#84](./issue_84.md) - Lazynmap failing to execute (closed)
- [#30](./issue_30.md) - Please remove ngrok as a tunneling option as this tool violates the terms of service (closed)
- [#17](./issue_17.md) - Fix code scanning alert (Flask app configuration hardening) (closed)
- [#16](./issue_16.md) - Fix code scanning alert (information exposure) (closed)

## Dependabot Alerts
- [Dependabot #47](./dependabot/alert_47.md) - python-socketio (high) - open
- [Dependabot #46](./dependabot/alert_46.md) - python-engineio (high) - open
- [Dependabot #45](./dependabot/alert_45.md) - python-engineio (high) - open

## Code Scanning Alerts
- [CodeScan #781](./codescan/alert_781.md) - URL sanitization (warning) - open
- [CodeScan #780](./codescan/alert_780.md) - URL sanitization (warning) - open
- [CodeScan #779](./codescan/alert_779.md) - URL sanitization (warning) - open
- [CodeScan #778](./codescan/alert_778.md) - URL sanitization (warning) - open
- [CodeScan #777](./codescan/alert_777.md) - URL sanitization (warning) - open
- [CodeScan #776](./codescan/alert_776.md) - Regex range configuration (warning) - open
- [CodeScan #775](./codescan/alert_775.md) - Regex range configuration (warning) - open
- [CodeScan #767](./codescan/alert_767.md) - Network binding configuration (error) - open
- [CodeScan #766](./codescan/alert_766.md) - Network binding configuration (error) - open
- [CodeScan #765](./codescan/alert_765.md) - Network binding configuration (error) - open
# Code Scanning Alert #765

- **State:** open
- **Severity:** error
- **Tool:** CodeQL
- **Created:** 2026-05-21T04:27:05Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/765

## Description
Binding a socket to all network interfaces
# Code Scanning Alert #766

- **State:** open
- **Severity:** error
- **Tool:** CodeQL
- **Created:** 2026-05-21T04:27:05Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/766

## Description
Binding a socket to all network interfaces
# Code Scanning Alert #767

- **State:** open
- **Severity:** error
- **Tool:** CodeQL
- **Created:** 2026-05-21T04:27:05Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/767

## Description
Binding a socket to all network interfaces
# Code Scanning Alert #775

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-29T08:37:57Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/775

## Description
Overly permissive regular expression range
# Code Scanning Alert #776

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-29T08:37:57Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/776

## Description
Overly permissive regular expression range
# Code Scanning Alert #777

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-30T22:45:30Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/777

## Description
Incomplete URL substring sanitization
# Code Scanning Alert #778

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-30T22:45:30Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/778

## Description
Incomplete URL substring sanitization
# Code Scanning Alert #779

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-30T22:45:30Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/779

## Description
Incomplete URL substring sanitization
# Code Scanning Alert #780

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-30T22:45:30Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/780

## Description
Incomplete URL substring sanitization
# Code Scanning Alert #781

- **State:** open
- **Severity:** warning
- **Tool:** CodeQL
- **Created:** 2026-06-30T22:45:30Z
- **URL:** https://github.com/grisuno/LazyOwn/security/code-scanning/781

## Description
Incomplete URL substring sanitization
# Issue #16: Fix code scanning alert (information exposure)

- **State:** closed
- **Created:** 2024-06-09T07:07:45Z
- **Updated:** 2024-06-09T07:12:42Z
- **Labels:** None

---

<!-- Warning: The suggested title contains the alert rule name. This can expose security information. -->

Tracking issue for:
- [x] https://github.com/grisuno/LazyOwn/security/code-scanning/6
# Issue #17: Fix code scanning alert (Flask app debug configuration)

- **State:** closed
- **Created:** 2024-06-09T07:08:21Z
- **Updated:** 2024-06-09T07:09:28Z
- **Labels:** None

---

<!-- Warning: The suggested title contains the alert rule name. This can expose security information. -->

Tracking issue for:
- [x] https://github.com/grisuno/LazyOwn/security/code-scanning/5
# Dependabot Alert #45: python-engineio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48809
- **Created:** 2026-06-29T09:59:20Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/45

## Summary
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced

## Description
### Impact
There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases are:

- POST requests, when using ASGI with the long polling transport
- WebSocket messages, when using Aiohttp with the WebSocket transport

### Patches
Version 4.13.2 addresses this issue as follows:

- ASGI severs now only load the body of incoming requests into memory after the client is confirmed to be known and authenticated, and the payload size is below the maximum allowed size. Requests that do not comply with these requirements are discarded.
- Aiohttp servers configure the maximum payload size in the underlying WebSocket layer from Aiohttp, so that large messages are discarded by Aiohttp before they are delivered to python-engineio.
# Dependabot Alert #46: python-engineio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48802
- **Created:** 2026-06-29T09:59:21Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/46

## Summary
python-engineio has unbound thread allocation that can cause denial of service

## Description
### Impact
An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet.

Note: this issue primarily affects synchronous servers. Asynchronous servers allocate background tasks instead of physical threads, which are lightweight and less likely to cause denial of service. However, the fix that was implemented was also applied to the asynchronous case.

### Patches
Version 4.13.2 addresses this issue as follows:

- The initial background thread (or async task) for heartbeat management is only launched if a client passes authentication in the `connect` handler.
- The server now ensures that there is only one background heatbeat thread (or async task) per client at a given point in time. Out of sequence PONG packets are now discarded when an active heartbeat thread is already running.
# Dependabot Alert #47: python-socketio

- **State:** open
- **Severity:** high
- **CVE:** CVE-2026-48804
- **Created:** 2026-06-29T09:59:21Z
- **URL:** https://github.com/grisuno/LazyOwn/security/dependabot/47

## Summary
python-socketio: Binary attachment accumulation can cause denial of service

## Description
### Impact
The python-socketio server stores binary `EVENT` and `ACK` messages in memory while it waits to receive their binary attachments. Once all the attachments are received, these messages are then processed. An attacker can submit a binary message and intentionally omit sending one or more of its attachments to cause the message along with the partial list of received attachments to stay in memory for a long time.

### Patches
Version 5.16.2 takes the following measures to address this issue:
- Binary packets are only accepted from authenticated clients.
- When a client disconnects, the server checks if there is a partial binary message being held for the client and deletes it.

Reviewed by Panto AI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant