PoC Week 2025-03-31
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.
CVE-2025-1974
- Severity: 9.3 CRITICAL
- Impacted Products: Kubernetes ingress-nginx, various versions
- Description: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-1974
- PoC: https://github.com/yoshino-s/CVE-2025-1974/
CVE-2025-30154
- Severity: 8.6 HIGH
- Impacted Products: Reviewdog action-setup, various versions and forks.
- Description: reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use
reviewdog/action-setup@v1
that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. - Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-30154
- PoC: https://github.com/reviewdog/action-setup/commit/f0d342d
This ^ is a slightly weird one, in that the poc is the malicious commit itself, with b64 encoded payload.
CVE-2025-2746, CVE-2025-2747
- Severity: 9.8 CRITICAL
- Impacted Products: Kentico Xperience through 13.0.178
- Description: An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-2747
- PoC: https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/
CVE-2024-33452
- Severity: Awaiting Analysis
- Impacted Products: Openresty lua-nginx-module 0.10.26 and earlier
- Description: When processing HTTP/1.1 requests, lua-nginx-module incorrectly parses HEAD requests with a body and treats the body as the new separate request. The vulnerability lives in src/ngx_http_lua_util.c file.
- More Info: NVD - CVE-2024-33452
- PoC: https://www.benasin.space/2025/03/18/OpenResty-lua-nginx-module-v0-10-26-HTTP-Request-Smuggling-in-HEAD-requests
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.