GitHub Security Lab

Securing the world's software, together

GitHub Security Lab

GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.

What we do

Find vulnerabilities

Our researchers find and report new vulnerabilities in the open source projects everyone relies on.

Educate the community

We share our research through proof-of-concepts, articles, tutorials, conferences and community events.

Amplify security research

We scale the security research of our community by performing Variants Analysis for open source projects with CodeQL. Visit our CodeQL Wall of Fame.

Notify the ecosystem

We curate a database of CVEs and security advisories to notify open source developers and maintainers.

Empower others

Make securing open source easy for developers and maintainers.

Foster collaboration

Build a community of security researchers to serve the global open source community.

Actions expression injection in Discord.js

GHSL-2024-145 • published 2024/07/17 00:00:00 ago • discovered by Alvaro Munoz
Unsafe YAML Deserialization in ngrinder

GHSL-2024-069 • published 2024/07/17 00:00:00 ago • discovered by Peter Stöckli
Command Injection and Limited File Write in fishaudio/Bert-VITS2 - CVE-2024-39685, CVE-2024-39686, CVE-2024-39688

GHSL-2024-045_GHSL-2024-047 • CVE-2024-39685 • CVE-2024-39686 • CVE-2024-39688 • published 2024/07/17 00:00:00 ago • discovered by Sylwia Budzynska
Potential secrets exfiltration from a Pull Request in docfx

GHSL-2024-030 • published 2024/07/17 00:00:00 ago • discovered by Alvaro Munoz
Potential secret exfiltration from a Pull Request in AutoGen

GHSL-2024-025_GHSL-2024-026 • published 2024/07/17 00:00:00 ago • discovered by Alvaro Munoz