CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Dispute over CVE credit between FuzzingLabs and Gecko Security

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

FuzzingLabs and Gecko Security are in a dispute over credit for two vulnerability disclosures in Ollama and Gradio. FuzzingLabs accuses Gecko Security of replicating their vulnerability disclosures and backdating blog posts to claim credit for the CVEs. Gecko Security denies the allegations, attributing the overlap to differences in disclosure processes. The dispute involves vulnerabilities in Ollama and Gradio, with CVEs CVE-2025-51471 and CVE-2025-48889. FuzzingLabs claims Gecko copied their proof-of-concept (PoC) exploits and submitted them as their own, taking credit for the CVE IDs. Gecko Security maintains that they work directly with project maintainers and were unaware of FuzzingLabs' reports. The incident highlights the complexities of vulnerability disclosure and the challenges of coordinating credit in the cybersecurity community. GitHub has updated some advisories to credit FuzzingLabs' original reports, and Gecko Security has edited its blog posts to credit FuzzingLabs researchers.

Timeline

  1. 14.10.2025 17:52 2 articles · 6h ago

    Gecko Security accused of replicating FuzzingLabs' vulnerability disclosures

    FuzzingLabs accused Gecko Security of copying their vulnerability disclosures and backdating blog posts to claim credit for two CVEs. Gecko Security denied the allegations, stating they work directly with project maintainers and were unaware of FuzzingLabs' reports. The dispute involves vulnerabilities in Ollama and Gradio, with CVEs CVE-2025-51471 and CVE-2025-48889. The incident has sparked discussions within the security community about the challenges of triaging duplicate vulnerability reports and coordinating credit in responsible disclosure processes. FuzzingLabs claims that Gecko Security copied their exploits line-by-line, including unique fingerprints intentionally inserted to identify their work. FuzzingLabs alleges that at least 7 vulnerabilities on Gecko Security's website appear to be stolen from other researchers. GitHub updated some advisories to credit FuzzingLabs' original reports. Gecko Security has edited its blog posts to credit FuzzingLabs researchers and updated publishing dates. Gecko Security's workflow involves coordinating directly with project maintainers via GitHub, not through third-party platforms.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Zero-day in Google Chrome exploited in the wild

Google has patched a zero-day vulnerability (CVE-2025-10585) in the Chrome web browser that has been actively exploited in the wild. The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. The exploit details, actors involved, and the scale of exploitation remain undisclosed. The flaw is the sixth zero-day in Chrome that has been actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. Google has released security updates to address the vulnerability.

Open in new tab

Sitecore Experience Platform Exploit Chain Combines Cache Poisoning and Remote Code Execution

Security researchers have disclosed three new vulnerabilities in the Sitecore Experience Platform. These flaws can be chained to achieve information disclosure and remote code execution. The vulnerabilities include HTML cache poisoning, remote code execution through insecure deserialization, and information disclosure via the ItemService API. The exploit chain leverages these vulnerabilities to compromise fully-patched instances of the platform. The vulnerabilities were patched by Sitecore in June and July 2025. The exploit chain involves using the ItemService API to enumerate cache keys, sending HTTP cache poisoning requests, and executing malicious code via an unrestricted BinaryFormatter call.

Open in new tab

HTTP/2 'MadeYouReset' Vulnerability Enables Large-Scale DoS Attacks

A new HTTP/2 vulnerability named MadeYouReset allows attackers to bypass server-imposed limits on concurrent requests, enabling large-scale denial-of-service (DoS) attacks. The flaw affects multiple products, including Apache Tomcat, F5 BIG-IP, and Netty. The vulnerability exploits the RST_STREAM frame to create a denial-of-service condition, potentially leading to out-of-memory crashes in some implementations. The MadeYouReset vulnerability leverages the RST_STREAM frame to trigger protocol violations, prompting the server to reset the stream. This bypasses existing mitigations for similar attacks like Rapid Reset and CONTINUATION Flood. The issue has been assigned the CVE identifier CVE-2025-8671, with specific CVEs for affected products. Multiple vendors have acknowledged the vulnerability and are working on patches. Researchers from Tel Aviv University identified the MadeYouReset vulnerability and disclosed it to over 100 vendors. The vulnerability can potentially affect up to one-third of all websites globally. Some vendors were already protected due to changes made after the Rapid Reset vulnerability, while others have implemented patches more recently.

Open in new tab

Trend Micro Apex One Management Console 0-Day Exploited

Trend Micro has disclosed two critical vulnerabilities in its on-premise Apex One Management Console. Both vulnerabilities are actively exploited in the wild. The vulnerabilities, CVE-2025-54948 and CVE-2025-54987, allow for command injection and remote code execution. Trend Micro has released temporary mitigations and is urging users to apply them immediately to protect against potential attacks. The vulnerabilities affect versions of the Apex One Management Console that are deployed on-premise. The exploitation of these vulnerabilities highlights the ongoing risks associated with unpatched software and the need for proactive security measures.

Open in new tab