CramHacks Chronicles #88: Weekly Cybersecurity Newsletter!

Hello, and Happy Monday!

I hope you’re having a great week thus far. I woke up at 3am today, worked for 30 minutes, realized how ridiculous that was, and then went back to bed. No impending deadline, just kinda happened for no good reason. I’ll be disconnecting this weekend 😅.

Newsletter

Open Issue: Use a Secret in Docker Hub Webhooks for Caller validation
Scrolling LinkedIn, I noticed Jason Hall, Principal Engineer @ Chainguard, pointing out that Docker Hub webhooks don’t offer any method for validating a request’s origin (e.g., via a secret). This issue has been open since March 2020. Wild that they haven’t offered this or even publicly commented on it, AFAICT.

👋 Ironically, this was a comment on Matt Moore’s (CTO @ Chainguard) LinkedIn post suggesting that GitHub should move away from including a long-lived token in webhook requests and instead use an OIDC token. I’m 100% onboard with getting rid of long-lived tokens wherever possible.

libxml2: Triaging security issues reported by third parties
Maintainer Nick Wellnhofer shares their experience as an open source maintainer and managing security reports, ultimately deciding that security issues should be treated like any other bug — making it public immediately, and fixing it as time allows.

Nick also shares in a comment, “The point is that libxml2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made libxml2 a core component of all their OSes. Then Google followed suit and now even Microsoft is using libxml2 in their OS outside of Edge. This should have never happened.”

👋 I always appreciate these from-the-heart threads from active maintainers. It pains me to hear about the challenges, but I don’t think most people know what these struggles look like, and so we need more discussions like this.

GerriScary: Hacking the Supply Chain of Popular Google Products
Liv Matan does it again, discovering a vulnerability that could’ve been abused to compromise of at least 18 Google projects including ChromiumOS, Chromium, Bazel, Dart and Bazel.

Dubbed GerriScary, the vulnerability was the result of misconfigurations in how project’s used Google’s Gerrit code-collaboration platform. The abused configurations are detailed here, and essentially enabled users to make commits on approved changes, without requiring a review before submission.

Netflix Vulnerability: Dependency Confusion in Action
Roni Carta and Shubs obtained remote code execution on a Netflix-owned host by processing bundled javascript in browser traffic to identify components vulnerable to dependency confusion. Once a vulnerable target was found, they published a proof-of-concept payload and waited for a ping back.

👋 The use of HAR files is super cool! If you don’t already know both Roni and Shubs, you probably should.

Scoring the quality of CVE vulnerability descriptions
Dawid Czarnecki launched a “no login required” web app for scoring CVE descriptions based on CVE.org’s phrasing guidelines.

👋 Scott Moore maintains a similar scoring system that evaluates historic CVE submissions, by CNA. Per Scott’s data, in 2025, only 750 CVEs disclosed (out of 21590) have reported all three standards: CWE, CVSS, and CPE.

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.