depthfirst
66 posts
depthfirst
@depthfirstlabs
Autonomous Security From Design To Production
We recently wrote about 21 FFmpeg zero-days we found earlier this year. Read the blog post about the findings and about how our security agent works in the comments.🔥 AI just found 21 zero-days in FFmpeg. That’s the video library bundled inside many apps, tools, containers, and devices. Some bugs sat untouched for 15–20 years. Google Chrome also dropped PATCHES for a record 429 vulnerabilities this week. Read: thehackernews.com/2026/06/ai-age…- depthfirst reposted
We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up: - depthfirst reposted
Replying to @MartinShkreli@depthfirstlabs post trains their own and combines with frontier models + gets context from your environment beyond the codebase. - depthfirst reposted
AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this,
- Thanks @Forbes for the coverage. We want to give all defenders access to frontier-level security, today. We're offering $5m in credits to maintainers of critical OSS. Apply here:This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed forbes.com/sites/thomasbr… (Photo: Depthfirst)
- Still "Lab", but working fully remotely without any hardcoded offsets, bypassing ASLR on standard Ubuntu + Nginx deployment via an LFI primitive. There's still lots of room for improvement but I'm already out of tea and who cares? Just patch.
00:00 - depthfirst reposted.@depthfirstlabs found NGINX Rift. We're giving $5m in credits to critical OSS projects, apply below. Regarding ASLR, please prioritize patching. ASLR makes the exploit harder, but still feasible.🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every
- depthfirst reposted
Because regex-triggered vulnerabilities depend on the specific regex input, they are especially difficult for static analyzers (and humans) to find. This is impressive.NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at
00:00 - depthfirst repostedUsing the same system, we found NGINX RCE, Linux LPE, Chrome RCE, FFmpeg RCE and a lot of other critical Vulnerabilities, feel free to try it out! We are trying our best to help secure OSS!Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in
- depthfirst autonomously discovered, verified, and generated a patch for NGINX rift, an 18 year old heap overflow (CVSS 9.2). It leads to an RCE and is affecting most of the global web traffic. Follow the link in the comments to learn more.NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at00:00
