storm icon indicating copy to clipboard operation
storm copied to clipboard
Published 3 months ago • verified publisher icon stanford-oval

🔴 Security contact request – TLS-certificate bypass high-severity security issue

Open ColeMurray opened this issue 6 months ago • 0 comments

Hello maintainers 👋,

We have discovered a high-severity security issue in the default configuration of knowledge_storm that allows outbound HTTPS traffic to skip certificate validation.

  • Impact: Man-in-the-middle attackers on the network can intercept API calls and exfiltrate credentials.
  • Severity: High (CWE-295 – Improper Certificate Validation)

We’ve prepared:

  1. A minimal patch that restores secure defaults
  2. A regression test
  3. A proof-of-concept to demonstrate exploitability

Could you please share a private channel (PGP-encrypted e-mail or GitHub Private Vulnerability Report) so we can provide full details?

If we don’t hear back, we’ll follow Coordinated Vulnerability Disclosure guidelines and re-contact at 7 and 30 days, aiming for public disclosure no later than 90 days from today (flexible if you acknowledge and need more time).

Thank you & looking forward to working together.

— Cole Murray, Obscure Labs

ColeMurray avatar Jul 01 '25 18:07 ColeMurray