Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

Welcome to Inedo Security Labs

Established in 2023, we are a team of security researchers focused on improving Software Supply Chain Security. We curate the ProGet Vulnerability Database (PGVD) and publish clear, practical write-ups to help teams understand real-world risk—not just theoretical severity.

To better prioritize that risk, we created the ProGet Vulnerability Rating System (PVRS). Instead of relying on CVSS scores, PVRS uses simple categories to reflect real-world impact and urgency. It highlights what can be safely monitored versus what requires immediate action, including the most critical Category 5 vulnerabilities.

  • 184399
    Detected
    Vulnerabilities
  • 232010
    Malicious
    Packages
  • 20
    Category 5
    Vulnerabilties

Latest Vulnerabilities Detected

PVRS CategoryVulnerability IDSummaryPackage
PGV-2652469

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS option, and TelnetIO.handleNAWS() in TelnetIO.java:856-879 reads client-supplied width and height as 16-bit unsigned integers and passes values such as 65535x65535 to setTerminalGeometry(), allowing an unauthenticated remote attacker to repeatedly alternate values and trigger continuous expensive rendering work that causes CPU exhaustion and denial of service. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

debian/jline source, bookworm, debian/jline source, bullseye, debian/jline source, forky, debian/jline source, trixie, debian/jline2 source, bookworm, debian/jline2 source, bullseye, debian/jline2 source, forky, debian/jline2 source, trixie, debian/jline3 source, bookworm, debian/jline3 source, bullseye, debian/jline3 source, forky, debian/jline3 source, trixie

PGV-2652468

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

debian/jline source, bookworm, debian/jline source, bullseye, debian/jline source, forky, debian/jline source, trixie, debian/jline2 source, bookworm, debian/jline2 source, bullseye, debian/jline2 source, forky, debian/jline2 source, trixie, debian/jline3 source, bookworm, debian/jline3 source, bullseye, debian/jline3 source, forky, debian/jline3 source, trixie

PGV-2652417

CloudTAK: Authenticated full-read SSRF in the /api/esri* routes — user-controlled URL fetched with no IP-classification guard

@tak-ps/cloudtak

PGV-2652427

PocketSphinx: Buffer overflows in language and acoustic model loading code

pocketsphinx, pocketsphinx

PGV-2652422

AngleSharp HTML5 Spec Compliance: mXSS via annotation-xml HTML Integration Point Bypass

AngleSharp

Meet the Inedo Security Labs Team

We're a small but focused team that reports directly to Inedo's CEO, Alex Papadimoulis. Our experience is diverse and over a range of domains and technologies, from Java in the banking sector to legacy Windows systems in mining, and advancements in cloud-native and machine learning. And although we're new to the Inedo team, we started with a ton of experience in Inedo's products.

Our Analysts

Pete Barnum
Senior Security Analyst
Pete has a background in regulatory compliance, with a focus on cybersecurity, SDLC auditing, risk management, disaster recovery, and IT vendor management. He's worked the Banking, Logistics, and Government sectors... but not yet the live/traveling entertainment industry.
Kim Pento
Chief Security Researcher
As Chief Security Researcher at Inedo Security Labs, Kim leverages her 20 years of expertise in cybersecurity in highly regulated sectors, oversees the team, and was a key figure alongside Alex Papadimoulis, CEO of Inedo, in the establishment of Inedo Security Labs.
Tod Hoven
Security Analyst
Tod is a former product engineer of ProGet transitioned into a career as a security researcher. Interested in analyzing and dissecting various software and systems to discover potential vulnerabilities and threats, vulnerability assessment, penetration testing, and threat modeling.