GitHubSecurityLab - Network

In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO)...

In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. Users of ruby-saml should update immediately to version 1.18.0.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

🚀 Calling all CoderGirls in Aarhus! Join @blazingwind for a Code Night at the Microsoft office—a relaxed evening of coding,...

🚀 Calling all CoderGirls in Aarhus! Join
@blazingwind for a Code Night at the Microsoft office—a relaxed evening of coding, collaboration, and community. Whether you’re working on a project or just want to connect with fellow developers, this is for you! 🎉

📅 Thursday, March 13, 2025
⏰ 4:30 PM – 6:30 PM CET
📍 INCUBA, Åbogade 15, Århus N

Bring your laptop, bring your ideas, and let’s code together! 💻✨

Tomorrow, we are excited to host a software security competition based on gh.io/secure-code-game 🔐 for CyberWeek 2025 at the Microsoft...

Tomorrow, we are excited to host a software security competition based on gh.io/secure-code-game 🔐 for CyberWeek 2025 at the Microsoft Technology Center in Bellevue, WA. May the more secure win!

Happy Friday folks! Here is a throwback to our 2nd most popular research post of 2024, "Gaining kernel code execution on an MTE-enabled...

Happy Friday folks! Here is a throwback to our 2nd most popular research post of 2024, "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man yue Mo https://github.blog/security/vulnerability-research/gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/

Keep your GitHub Actions secure! Vulnerable Workflows can expose you to secrets leaks, repository takeovers, remote code execution on your...

Keep your GitHub Actions secure! Vulnerable Workflows can expose you to secrets leaks, repository takeovers, remote code execution on your runners ... and more. Read our series on GitHub Actions security to understand the most common vulnerability patterns, learn secure practices, and protect your Workflows with CodeQL https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Time flies! 4 years ago Antonio Morales published his Fuzzing101 online course. 3,000 stars and hundreds of happy learners later, Rumor has...

Time flies! 4 years ago Antonio Morales published his Fuzzing101 online course. 3,000 stars and hundreds of happy learners later, Rumor has it that Antonio is working on some new exercises! So, catch-up now on the first 10 challenges before he drops the new ones at gh.io/fuzzing101 https://gh.io/fuzzing101!

The Security Lab is proud to sponsor NullCon Goa 2025! We are also funding scholarship tickets to enable and empower the next generation of...

The Security Lab is proud to sponsor NullCon Goa 2025! We are also funding scholarship tickets to enable and empower the next generation of security researchers to attend these high-quality conference sessions and network with security professionals! Enjoy, folks!

ICYMI Nancy Gariché published an article full of insights and practical tips for those considering starting a career in Cybersecurity:...

ICYMI Nancy Gariché published an article full of insights and practical tips for those considering starting a career in Cybersecurity: "Cybersecurity researchers: Digital detectives in a connected world" https://github.blog/security/vulnerability-research/cybersecurity-researchers-digital-detectives-in-a-connected-world/

Hey 👋🏾 it's the weekend folks! Let's enjoy a throwback to our most popular research post of 2024, "3 ways to get Remote...

Hey 👋🏾 it's the weekend folks! Let's enjoy a throwback to our most popular research post of 2024, "3 ways to get Remote Code Execution in Kafka UI" https://github.blog/security/vulnerability-research/3-ways-to-get-remote-code-execution-in-kafka-ui/ by @artsploit

We’re big believers in Linus's law: “given enough eyeballs, all bugs are shallow”. Together, we’re making open source software...

We’re big believers in Linus's law: “given enough eyeballs, all bugs are shallow”. Together, we’re making open source software secure. https://en.wikipedia.org/wiki/Linus%27s_law
-- THE END --

Our deep research work is primarily intended to inspire the community, so that we can improve open source security together. That’s why we...

Our deep research work is primarily intended to inspire the community, so that we can improve open source security together. That’s why we publish detailed blog posts and proof-of-concept exploits. https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2023_6241

And these activities also benefit open source, because GitHub security products, including Dependabot and CodeQL, are free for open source...

And these activities also benefit open source, because GitHub security products, including Dependabot and CodeQL, are free for open source projects!

Similarly, our work with CodeQL provides feedback to the code scanning team to help improve and further develop the feature so that more...

Similarly, our work with CodeQL provides feedback to the code scanning team to help improve and further develop the feature so that more vulnerabilities are caught quickly and automatically.
https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning

The work that we do feeds into GitHub’s security products. For example, the advisory database is used to generate Dependabot...

The work that we do feeds into GitHub’s security products. For example, the advisory database is used to generate Dependabot alerts.
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

And fourth, we do deep research on critical open source projects. @mmolgtm ’s work on Arm Mail is an example of...

And fourth, we do deep research on critical open source projects. @mmolgtm ’s work on Arm Mail is an example of this.
https://github.blog/security/vulnerability-research/gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/

Third, we use GitHub’s CodeQL to scan thousands of open source repositories for common security mistakes, like SQL injections or path...

Third, we use GitHub’s CodeQL to scan thousands of open source repositories for common security mistakes, like SQL injections or path traversals.
https://securitylab.github.com/codeql-wall-of-fame/

Second, we share information around secure coding practices, through blogs and video...

Second, we share information around secure coding practices, through blogs and video content.
https://github.blog/developer-skills/application-development/build-code-security-skills-with-the-github-secure-code-game/

First, we run the GitHub Advisory Database, which is a comprehensive database of open source vulnerabilities.https://github.com/advisories

First, we run the GitHub Advisory Database, which is a comprehensive database of open source vulnerabilities.
https://github.com/advisories

GitHub Security Lab sits within @githubsecurity and we focus exclusively on open source security with four main priorities:

GitHub Security Lab sits within @githubsecurity and we focus exclusively on open source security with four main priorities:

Open source software is the foundation of much of the world’s software. So when open source wins, we win. And that’s why @github takes...

Open source software is the foundation of much of the world’s software. So when open source wins, we win. And that’s why @github takes its responsibility seriously, to help make open source software more secure.