Summary: The video discusses significant security vulnerabilities discovered in major software frameworks and tools, including a serious issue in the Nex.js JavaScript library, the acquisition of Whiz by Google, and critical vulnerabilities in the Ingress EngineX controller for Kubernetes, as well as a compromise of a popular GitHub action.
Keypoints:
- CVE 2025-29927 affects Nex.js, revealing an authorization bypass vulnerability that can be exploited with basic tools.
- Over 400,000 instances of Nex.js are vulnerable to this authentication bypass, and an update has been deployed to address it.
- Google acquired security company Whiz for billion, possibly to enhance its GCP cloud security offerings.
- A new critical vulnerability (CVE 2025-24513) affecting the Ingress EngineX controller for Kubernetes was reported, allowing unauthenticated remote code execution.
- Whiz identified five CVEs in this cluster (INGRESS NIGHTMARE), and an estimated 43% of cloud environments are believed to be vulnerable.
- A compromised GitHub action, TJ actions/changed files, exposed CI/CD secrets in build logs for over 23,000 repositories in a two-day attack.
- Users of the compromised GitHub action are advised to rotate their secrets immediately.
Youtube Video: https://www.youtube.com/watch?v=fbUohX9St8Y
Youtube Channel: Hak5
Video Published: Wed, 26 Mar 2025 15:15:05 +0000