[this includes some relevant work completed before the project started]
Vulnerabilities Discovered in LSPs
CVEs assgined CVE-2025-45695 and CVE-2025-45696
Details are described in this paper.
Changes to GHSA Entries
Details are described in this paper.
| CVE | GHSA PR |
|---|---|
| CVE-2022-38749 | https://github.com/github/advisory-database/pull/2258 |
| CVE-2022-42889 | https://github.com/github/advisory-database/pull/2273 |
| CVE-2021-44228 aka log4shell | https://github.com/github/advisory-database/pull/2445 |
| CVE-2021-29425 | https://github.com/github/advisory-database/pull/3506 |
| CVE-2018-10237 | https://github.com/github/advisory-database/pull/2444 |
| CVE-2019-12402 | https://github.com/github/advisory-database/pull/2823 |
| CVE-2018-1324 | https://github.com/github/advisory-database/pull/2855 |
| CVE-2016-5394 | https://github.com/github/advisory-database/pull/2826 |
| CVE-2016-6798 | https://github.com/github/advisory-database/pull/2827 |
| CVE-2015-6420 | https://github.com/github/advisory-database/pull/2326 |
| CVE-2015-7501 | https://github.com/github/advisory-database/pull/2841 |
Deserialisation Vulnerabilities
Those CVEs were discovered as part of Shawn Rasheed’s PhD co-supervised by Jens and inspired by the Evil Pickles study. See also: Shawn Rasheed, Jens Dietrich, Amjed Tahir: Caught in the web: DoS vulnerabilities in parsers for structured data. ESORICS’21, and Shawn Rasheed, Jens Dietrich, Amjed Tahir: Laughter in the wild: A study into DoS vulnerabilities in YAML libraries. TrustCom’19.
- CVE-2019-17063 (PDFxStream)
- CVE-2019-20446 (Librvg)
- CVE-2018-11797 (PDFBox)
- CVE-2018-19478 (GhostScript)
- https://github.com/advisories/GHSA-2pr6-76vf-7546 (js-yaml)