notes from taking things apart.
latest writing
-
Escaping the mathjs Sandbox: From math.evaluate() to Remote Code ExecutionA bug bounty program led me into the internals of mathjs 11.8.2. Two property reads in the FunctionNode and SymbolNode compilers skip the library's own safe-property allow-list, so an evaluated constructor() expression reaches the JavaScript Function constructor and turns math.evaluate() into remote code execution. Root cause, the silent 11.9.1 fix, and a reproducible local proof of concept.
-
Grafana OSS - Full Read SSRF via Data Source ProxyGrafana is the most popular open-source monitoring and observability platform, used by thousands of organizations to visualize metrics, logs, and traces. During security research on the Grafana OSS codebase, I identified a full read Server-Side Request Forgery (SSRF) vulnerability/misconfiguration in the data source proxy.
-
CVE-2026-22248 - From File Upload to RCE via Unsafe DeserializationGLPI is an open-source IT asset management software used by thousands of organizations worldwide. I identified a vulnerability chain that allows an authenticated administrator to achieve Remote Code Execution (RCE) via PHP Object Injection in the progress indicator storage mechanism.