https://yadhu.in/ Recent blog posts on Yadhu's Blog Hugo (https://gohugo.io) en-us Mon, 09 Feb 2026 00:00:00 Z https://yadhu.in/2026/02/09/Breaking-Down-the-n8n-Git-Node-Vulnerability-CVE-2026-25053-Remote-Code-Execution/ Mon, 09 Feb 2026 00:00:00 Z What it is: A vulnerability in the Git node that allows execution of system commands or arbitrary file access. Impact: Authenticated users with workflow permissions can execute commands on the n8n host or read sensitive files. Fix: This issue was addressed in n8n versions 1.123.10 and 2.5.0. Users are strongly encouraged to upgrade to these or later releases to mitigate the vulnerability. CVE: CVE-2026-25053 GHSA: GHSA-9g95-qf3f-ggrw CVSS Score: 9.4 (Critical) Note: n8n combined all the vulnerabilities discussed in this post into a single CVE (CVE-2026-25053) and GHSA advisory. This CVE covers the entire security hardening journey, including the Windows path separator bypass, TOCTOU vulnerabilities, config key injection, and other Git node security issues. https://yadhu.in/2026/02/09/Breaking-Down-the-n8n-Git-Node-Vulnerability-CVE-2026-25053-Remote-Code-Execution/ https://yadhu.in/2025/11/09/SupplyShield-Open-Source-Framework-for-Securing-Software-Supply-Chains-at-Scale/ Sun, 09 Nov 2025 00:00:00 Z Today, we’re excited to announce the open-source release of SupplyShield, an application security orchestration framework designed to secure software supply chains end-to-end. SupplyShield addresses the critical gap between running security scanners and actually operationalizing their results at scale. https://yadhu.in/2025/11/09/SupplyShield-Open-Source-Framework-for-Securing-Software-Supply-Chains-at-Scale/ https://yadhu.in/2024/05/11/Exploiting-HTTP-Request-Smuggling-in-Node.js-and-Gunicorn/ Sat, 11 May 2024 01:00:20 Z In this blog post, we discuss two vulnerabilities that were identified during my research on HTTP Request Smuggling: Node.js - CVE-2023-30589 Gunicorn - CVE-2024-1135 https://yadhu.in/2024/05/11/Exploiting-HTTP-Request-Smuggling-in-Node.js-and-Gunicorn/ https://yadhu.in/2023/01/19/PyCGI-From-Nginx-Path-Traversal-to-RCE-bi0s-CTF-2022/ Thu, 19 Jan 2023 00:00:00 Z This year I contributed 2 challenges to bi0s CTF (formerly InCTF Internationals). EmoLocker (Server-Side) PyCGI (Client-Side) In this post, we discuss the intended solution to PyCGI challenge. The source code of this challenge can be downloaded from here. # Analysis We are provided with 2 attachments for this challenge: Dockerfile Nginx.conf Looking into the Nginx configuration, we can find that there is a potential path traversal in the /static endpoint. You can read more about this here. https://yadhu.in/2023/01/19/PyCGI-From-Nginx-Path-Traversal-to-RCE-bi0s-CTF-2022/ https://yadhu.in/2023/01/19/Unlocking-the-EmoLocker-bi0s-CTF-2022-Authors-Writeup/ Thu, 19 Jan 2023 00:00:00 Z In this post, we discuss the solution to EmoLocker challenge from bi0s CTF 2022. The source code of this challenge can be downloaded from here. # Analysis Upon opening the challenge link, we are presented with a lockscreen that uses emojis instead of numbers. The page has two features: register and login. Additionally, there is an admin bot, which suggests that the challenge may involve client-side concepts. https://yadhu.in/2023/01/19/Unlocking-the-EmoLocker-bi0s-CTF-2022-Authors-Writeup/ https://yadhu.in/2022/11/13/A-Timeline-of-Growth-Reflections-on-the-Past-Present-and-Future/ Sun, 13 Nov 2022 01:00:20 Z As I look back at my three and a half years at Amrita University and Team bi0s, I can’t help but feel a sense of nostalgia. Join me as I take a trip down memory lane, and reflect on the experiences, lessons, and achievements that have shaped me into the person I am today. # 🚌 Journey so far.. As I reflect on the past few years, I am struck by the impact that time has had on me. I have grown and changed in ways I never could have imagined. My experiences at Amrita and Team bi0s have helped me to broaden my perspective and gain a deeper understanding of the world around me. I am proud of the progress I have made, both academically and personally, and acknowledge that there were times when I felt lost and uncertain. But it was during those moments that I learned the value of taking a step back, re-evaluating my goals and redirecting my efforts. https://yadhu.in/2022/11/13/A-Timeline-of-Growth-Reflections-on-the-Past-Present-and-Future/ https://yadhu.in/2022/11/05/A-tale-of-HTML-Injection-to-Account-takedown-at-Exercism.org/ Sat, 05 Nov 2022 01:00:20 Z # About Exercism Exercism is an online platform that helps people upskill their programming skills through practice and mentoring. They are an open-source organization with over 200 GitHub repositories, thousands of contributors, and a friendly, inclusive community. I came to know about the platform in 2018 when my mentor - Vipin Pavithran asked me to improve my coding skills by practicing on Exercism. Exercism is an amazing platform to learn to code. It has got an amazing set of challenges and a huge variety of learning tracks. https://yadhu.in/2022/11/05/A-tale-of-HTML-Injection-to-Account-takedown-at-Exercism.org/ https://yadhu.in/2022/10/17/Good-Intentions-CSAW-CTF-Qualifiers-2022/ Mon, 17 Oct 2022 11:57:25 Z tl;dr Upload log configuration file and exploit path traversal to gain RCE https://yadhu.in/2022/10/17/Good-Intentions-CSAW-CTF-Qualifiers-2022/ https://yadhu.in/2022/04/14/NarutoKeeper-Securinets-CTF-Quals-2022/ Thu, 14 Apr 2022 10:57:25 Z tl;dr Create a note with meta redirect tag to get callback. Leak the flag using search functionality. https://yadhu.in/2022/04/14/NarutoKeeper-Securinets-CTF-Quals-2022/ https://yadhu.in/2021/12/05/Vulpixelize-HITCON-CTF-2021/ Sun, 05 Dec 2021 21:24:04 Z tl;dr Use DNS Rebinding attack to read flag from /flag endpoint. https://yadhu.in/2021/12/05/Vulpixelize-HITCON-CTF-2021/ https://yadhu.in/2021/08/30/Shisui-Fword-CTF-2021-Write-up/ Mon, 30 Aug 2021 00:00:00 Z tl;dr XSS using DOM Clobbering <a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x"> Bypass CSRF protection to execute XSS and read flag. https://yadhu.in/2021/08/30/Shisui-Fword-CTF-2021-Write-up/ https://yadhu.in/2021/08/15/InCTF-Internationals-2021-MD-Notes-Write-up/ Sun, 15 Aug 2021 12:01:43 Z tl;dr Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256(''). Create an XSS payload to read /api/flag and send it to attacker server. https://yadhu.in/2021/08/15/InCTF-Internationals-2021-MD-Notes-Write-up/ https://yadhu.in/2021/06/22/Exploiting-Client-side-Prototype-Pollution-arg.js/ Tue, 22 Jun 2021 01:23:33 Z First of all, a big shoutout to the challenge author. All the challenges in this set are available here. ## Analysis Going through the challenge source, we can see that two JavaScript files are imported. 1 2 <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script> <script src="js/main.js"></script> arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 let data = { small: "Hi, there!", big: "Hello, world!" } const vuln = document.querySelector("#vuln"); let queryStrings = window.location.search; let params = new URLSearchParams(queryStrings); let vulnParams = () => { let fragments = Arg.parse(location.hash.substr(1)); if(data[params.get("type")] !== undefined) vuln.innerHTML = "<h2>"+data[params.get("type")]+"</h2"; else vuln.innerHTML = "<h2>This region seems like something you need to look at.</h2>"; } window.onhashchange = () => { vulnParams(); } vulnParams(); We can see that main.js uses Arg library to parse location.hash and uses URLSearchParams to parse query strings. https://yadhu.in/2021/06/22/Exploiting-Client-side-Prototype-Pollution-arg.js/ https://yadhu.in/2021/05/16/Waffle-Write-up-m0leCon-CTF-2021-Teaser/ Sun, 16 May 2021 00:00:00 Z tl;dr Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token. Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag. https://yadhu.in/2021/05/16/Waffle-Write-up-m0leCon-CTF-2021-Teaser/ https://yadhu.in/2021/04/29/Story-of-My-first-Bug-Bounty/ Thu, 29 Apr 2021 12:56:20 Z # Intro Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug. I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website. https://yadhu.in/2021/04/29/Story-of-My-first-Bug-Bounty/ https://yadhu.in/2021/03/13/HTBCTF-Finals-2021-Waf-Waf-Write-up/ Sat, 13 Mar 2021 09:19:43 Z tl;dr Rename table and exploit SQL Injection to get the flag. # Challenge Description Who let the blacklists out? # Source Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) . '<br/>'; } $result->free(); } } while ($mysql->next_result()); $mysql->close(); # Analysis Parameters user and pass are directly fed into the query and might cause SQL Injection. The filters applied for the parameters are not strong enough. Multiple queries can be executed at a time since multi_query function is used. Inserting single quotes are not allowed. # Solution Inserting \ as value for user parameter causes a part of the query to be treated as a string, and the pass parameter can be used for SQL Injection. The query becomes https://yadhu.in/2021/03/13/HTBCTF-Finals-2021-Waf-Waf-Write-up/ https://yadhu.in/2021/02/09/DiceCTF-2021-Write-up-WebIDE-Challenge/ Tue, 09 Feb 2021 12:01:43 Z tl;dr Unintended Solution: Cookie Path Restriction bypass using pop-up windows + JS Sandbox Escape Intended Solution: Service Workers + JS Sandbox Escape https://yadhu.in/2021/02/09/DiceCTF-2021-Write-up-WebIDE-Challenge/ https://yadhu.in/2020/08/02/Towards-Cyber-Security/ Sun, 02 Aug 2020 12:01:43 Z https://yadhu.in/2020/08/02/Towards-Cyber-Security/ https://yadhu.in/about/ Mon, 01 Jan 0001 00:00:00 Z ## About I’m Yadhu Krishna M, a Security Engineer with over four years of experience in security. I specialize in identifying security vulnerabilities and building scalable security solutions. I currently lead the Software Supply Chain Security charter at CRED. I’m also a core maintainer of the SupplyShield project, contributing to improving software supply chain security. I’ve reported high-severity security issues in critical projects such as Node.js, Gunicorn, n8n, and Safari, earning multiple CVEs for my work. I speak at security conferences and run workshops at events including Nullcon, BlackHat Asia, and BlackHat Europe. https://yadhu.in/about/ https://yadhu.in/page/about/ Mon, 01 Jan 0001 00:00:00 Z My name is The Dude. I have the following qualities: I rock a great beard I’m extremely loyal to my friends I like bowling That rug really tied the room together. ## my history To be honest, I’m having some trouble remembering right now, so why don’t you just watch my movie and it will answer all your questions. https://yadhu.in/page/about/ https://yadhu.in/archives/ Mon, 01 Jan 0001 00:00:00 Z archives https://yadhu.in/archives/ https://yadhu.in/projects/ Mon, 01 Jan 0001 00:00:00 Z # Projects SupplyShield Open-source application security orchestration framework designed to secure software supply chains from vulnerabilities and unapproved base images. Automates SBOM generation, vulnerability detection, EPSS-based prioritization, and provides actionable security findings with upgrade recommendations. Features GitHub integration for automated issue creation and CI/CD pipeline integration via message queues. Built with Python 3.10+ and Docker Compose. # Security Advisories CVE-2026-25053 - n8n - OS Command Injection in Git Node CVE-2026-25049 - n8n - Expression Escape Vulnerability Leading to RCE CVE-2024-40817 - Safari Web Browser CVE-2024-34714 - Bypass enabled origins - Hoppscotch Browser Extension CVE-2024-1135 - HTTP Request Smuggling in Gunicorn. CVE-2023-46134 - Remote Code Execution in D-tale. CVE-2023-30589 - HTTP Request Smuggling in Node.js. CVE-2022-25850 - Server-Side Request Forgery (SSRF) attack in Proxyscotch. CVE-2021-23404 - Cross-Site Request Forgery (CSRF) bug in SQLite Web. CVE-2021-3666 - Prototype pollution in body-parser-xml Node.js module. # Presentations & Talks ## 2025 BlackHat Arsenal Asia 2025 Singapore - SupplyShield: Protecting your software supply chain - Slides | GitHub BlackHat Arsenal Europe 2025 - SupplyShield: Protecting your software supply chain - GitHub Nullcon Goa - Securing the Chains : Building defensive layers for software supply chains ## 2023 HackerOne Meetup - Beginner’s Guide to Prototype Pollution ## 2021 Introduction to DNS Spoofing InCTF - Introduction to Web Exploitation A Case Study on the Android Architecture ## 2020 Apache Tomcat RCE by Deserialization - CVE 2020-9484 YAML Deserialization Introduction to LDAP and LDAP Injection # Security Hall of Fames For critical information disclosure (via Cross-Site Leaks) in deepnote.com For potential Denial-of-Service (DoS) attack in standard.com For Cross-Site Scripting attack (XSS) in conclusion.nl ## Archived Projects Docker-On-Demand [archived] https://yadhu.in/projects/