{"vulnerability": "cve-2021-42574", "sightings": [{"uuid": "dcfc0b68-0a10-4742-898f-9cd0be0773c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/791", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aGenerate malicious files using recently published bidi-attack (CVE-2021-42574)\nURL\uff1ahttps://github.com/js-on/CVE-2021-42574", "creation_timestamp": "2021-11-02T15:34:35.000000Z"}, {"uuid": "ea161b75-0051-4c9c-9923-5d4725d656fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/stackbleed-ctrl/b7b2f989c6e06be627285851f6176f92", "content": "", "creation_timestamp": "2026-03-16T21:16:24.000000Z"}, {"uuid": "10842011-3b81-45f7-a16f-66fdb3920081", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/zeyi2/ef0acd0169c043f94a62282d357255f4", "content": "", "creation_timestamp": "2025-11-08T07:36:32.000000Z"}, {"uuid": "92e19daa-c8e0-48a1-8d91-b50ae7623344", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/habr_com_news/698", "content": "\u200b\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043e\u043f\u0438\u0441\u0430\u043b\u0438 \u043a\u043e\u043d\u0446\u0435\u043f\u0442 \u0430\u0442\u0430\u043a\u0438 Trojan Source\n\n\u0411\u0440\u0438\u0442\u0430\u043d\u0441\u043a\u0438\u0435 \u0443\u0447\u0435\u043d\u044b\u0435 \u0438\u0437 \u043a\u0435\u043c\u0431\u0440\u0438\u0434\u0436\u0441\u043a\u043e\u0433\u043e \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442\u0430 \u0420\u043e\u0441\u0441 \u0410\u043d\u0434\u0435\u0440\u0441\u043e\u043d \u0438 \u041d\u0438\u043a\u043e\u043b\u0430\u0441 \u0411\u0430\u0443\u0447\u0435\u0440, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0438 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043e\u043f\u0438\u0441\u0430\u043b\u0438 \u043a\u043e\u043d\u0446\u0435\u043f\u0442 \u0430\u0442\u0430\u043a\u0438 Trojan Source \u0441 \u0438\u043d\u0434\u0435\u043a\u0441\u043e\u043c CVE-2021-42574. \u041e\u043d\u0430 \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0432 \u043b\u0438\u0441\u0442\u0438\u043d\u0433 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u043e\u043b\u0435\u0439 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0435\u0432. \u0421\u0430\u043c \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 \u0443\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u043d\u0430 GitHub.", "creation_timestamp": "2021-11-03T08:20:47.000000Z"}, {"uuid": "12a31bae-6804-4a36-bdf4-15282543e557", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "Telegram/-oJMUkiRIMwxohphZHtIBNPP8uclYBfsB-4VKcH4VGbyCg", "content": "", "creation_timestamp": "2021-11-02T19:54:23.000000Z"}, {"uuid": "830585cc-afd3-4c36-97f1-a36700673bde", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/818", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aChecks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574 \nURL\uff1ahttps://github.com/maweil/bidi_char_detector", "creation_timestamp": "2021-11-07T00:33:04.000000Z"}, {"uuid": "a8c397ac-b342-42dc-b03c-b1b2e5ae87f5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/cKure/7873", "content": "CVE-2021-42574 - Code generator.\n\nhttps://github.com/js-on/CVE-2021-42574", "creation_timestamp": "2021-11-02T19:56:55.000000Z"}, {"uuid": "4d5cb5da-1404-434d-bc51-7b753ae5b698", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/cKure/7874", "content": "CVE-2021-42574 - Code generator.\n\nhttps://github.com/js-on/CVE-2021-42574", "creation_timestamp": "2021-11-02T19:57:03.000000Z"}, {"uuid": "6ec62cf2-3e76-481f-8158-4bd66176ee26", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://t.me/cKure/7870", "content": "\u25cf This logical vulnerability is tracked as CVE-2021-42574.", "creation_timestamp": "2021-11-02T19:50:06.000000Z"}, {"uuid": "5f15a2d9-2f18-49b4-90e1-2d9644936bcb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/true_secator/2278", "content": "\u0423\u0447\u0435\u043d\u044b\u0435 \u0438\u0437 \u041a\u0435\u043c\u0431\u0440\u0438\u0434\u0436\u0441\u043a\u043e\u0433\u043e \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442\u0430 \u0432 \u0421\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u043d\u043e\u043c \u041a\u043e\u0440\u043e\u043b\u0435\u0432\u0441\u0442\u0432\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043d\u044b\u0439 \u0435\u0449\u0435 25 \u0438\u044e\u043b\u044f \u0432\u0435\u043a\u0442\u043e\u0440 \u0430\u0442\u0430\u043a\u0438 Trojan Source, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u0432\u043d\u0435\u0434\u0440\u044f\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0447\u0442\u043e\u0431\u044b \u0440\u0435\u0446\u0435\u043d\u0437\u0435\u043d\u0442\u044b \u043d\u0435 \u043c\u043e\u0433\u043b\u0438 \u0438\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0442\u044c, \u0447\u0442\u043e \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0443\u0433\u0440\u043e\u0437\u0443 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u043c\u0443 \u041f\u041e \u0438 \u0446\u0435\u043f\u043e\u0447\u043a\u0430\u043c \u043f\u043e\u0441\u0442\u0430\u0432\u043e\u043a.\n \nTrojan Source \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043f\u0440\u043e\u0441\u0442\u043e\u0439 \u043f\u0440\u0438\u0435\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u043c\u043e\u0434\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u0430 \u0438\u043b\u0438 \u043f\u0440\u043e\u0447\u0438\u0445 \u0443\u0445\u0438\u0449\u0440\u0435\u043d\u0438\u0439, \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u044f C, C ++, C #, JavaScript, Java, Rust, Go \u0438 Python. \u0412\u0441\u044f \u0444\u0438\u0448\u043a\u0430 \u0441\u043e\u0441\u0442\u043e\u0438\u0442 \u0432 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0438\u0445 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 Unicode \u0434\u043b\u044f \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u043e\u0440\u044f\u0434\u043a\u0430 \u0442\u043e\u043a\u0435\u043d\u043e\u0432 \u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c \u043a\u043e\u0434\u0435 \u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f.\n \n\u041a\u0430\u043a \u0432\u044b\u044f\u0441\u043d\u0438\u043b\u043e\u0441\u044c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0438\u0435 \u0441\u0438\u043c\u0432\u043e\u043b\u044b, \u0432\u0441\u0442\u0440\u043e\u0435\u043d\u043d\u044b\u0435 \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0438 \u0438 \u0441\u0442\u0440\u043e\u043a\u0438, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043f\u0435\u0440\u0435\u0443\u043f\u043e\u0440\u044f\u0434\u043e\u0447\u0438\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434, \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u043c\u0435\u043d\u044f\u044f \u0432\u0438\u0437\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0438 \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c \u0435\u0433\u043e \u043b\u043e\u0433\u0438\u043a\u0443 \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0447\u0442\u043e\u0431\u044b \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0443\u044e \u043c\u043e\u0436\u043d\u043e \u0432\u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u0438 \u043f\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c.\n \n\u0420\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f Trojan Source \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u043f\u043e \u0434\u0432\u0443\u043c \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f\u043c: CVE-2021-42574 (\u0438\u043b\u0438 \u0434\u0432\u0443\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430) \u0438 CVE-2021-42694 (\u0433\u043e\u043c\u043e\u0433\u043b\u0438\u0444\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0430\u0442\u0430\u043a\u0430).\n \n\u0412 \u043f\u0435\u0440\u0432\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f Unicode \u0434\u043b\u044f \u0434\u0432\u0443\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0442\u0435\u043a\u0441\u0442\u0430, \u0447\u0442\u043e\u0431\u044b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0442\u044c \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0430\u0435\u0442\u0441\u044f \u043a\u043e\u043d\u0442\u0435\u043d\u0442. \u041a \u043f\u0440\u0438\u043c\u0435\u0440\u0443, LRI \u0438 RLI. \u0414\u0432\u0443\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 (Bidi) \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f LRI \u0438 RLI \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u043d\u0435\u0432\u0438\u0434\u0438\u043c\u044b\u043c\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u0430\u043c\u0438, \u0438 \u043e\u043d\u0438 \u043d\u0435 \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0435. \u0412\u0432\u043e\u0434\u044f \u044d\u0442\u0438 \u0438\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0438\u0438, \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440 \u043c\u043e\u0436\u0435\u0442 \u0441\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043a\u043e\u0434, \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043e\u0442\u043b\u0438\u0447\u043d\u044b\u0439 \u043e\u0442 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u0432\u0438\u0434\u0438\u0442 \u0447\u0435\u043b\u043e\u0432\u0435\u043a.\n \n\u0412\u043d\u0435\u0434\u0440\u044f\u044f \u0441\u0438\u043c\u0432\u043e\u043b\u044b \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f Unicode Bidi \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0438 \u0438 \u0441\u0442\u0440\u043e\u043a\u0438, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0441\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0447\u0435\u0441\u043a\u0438 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u0439 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u044f\u0437\u044b\u043a\u043e\u0432, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u043f\u043e\u0440\u044f\u0434\u043e\u043a \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u043b\u043e\u0433\u0438\u043a\u0443, \u043e\u0442\u043b\u0438\u0447\u0430\u044e\u0449\u0443\u044e\u0441\u044f \u043e\u0442 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u043b\u043e\u0433\u0438\u043a\u0438.\n \n\u0412\u0442\u043e\u0440\u043e\u0439 \u0432\u0430\u0440\u0438\u0430\u043d\u0442 \u0430\u0442\u0430\u043a\u0438 \u043e\u0441\u043d\u043e\u0432\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0438 \u0433\u043e\u043c\u043e\u0433\u043b\u0438\u0444\u043e\u0432, \u0442\u043e \u0435\u0441\u0442\u044c \u0440\u0430\u0437\u043d\u044b\u0445 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0445\u043e\u0442\u044c \u0438 \u0438\u043c\u0435\u044e\u0442 \u043e\u0434\u0438\u043d\u0430\u043a\u043e\u0432\u043e\u0435 \u0432\u0438\u0437\u0443\u0430\u043b\u044c\u043d\u043e\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435, \u043d\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u044e\u0442 \u0440\u0430\u0437\u043d\u044b\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b. \u0427\u0435\u043b\u043e\u0432\u0435\u0447\u0435\u0441\u043a\u0438\u0439 \u0433\u043b\u0430\u0437 \u0431\u0443\u0434\u0435\u0442 \u0432\u0438\u0434\u0435\u0442\u044c \u043e\u0431\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0438\u0434\u0435\u043d\u0442\u0438\u0447\u043d\u044b\u043c\u0438, \u0432 \u0442\u043e \u0432\u0440\u0435\u043c\u044f \u043a\u0430\u043a \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440 \u0440\u0430\u0437\u043b\u0438\u0447\u0430\u0435\u0442 \u043b\u0430\u0442\u0438\u043d\u0441\u043a\u0443\u044e \u00abH\u00bb \u0438 \u043a\u0438\u0440\u0438\u043b\u043b\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u00abH\u00bb \u0438 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u043a\u043e\u0434 \u043a\u0430\u043a \u0438\u043c\u0435\u044e\u0449\u0438\u0439 \u0434\u0432\u0435 \u0440\u0430\u0437\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u0440\u0430\u0437\u043d\u044b\u043c.\n \n\u041e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0442\u0430\u043a\u0436\u0435, \u0447\u0442\u043e \u0441\u0438\u043c\u0432\u043e\u043b\u044b Bidi \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u044e\u0442\u0441\u044f \u043f\u0440\u0438 \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438/\u0432\u0441\u0442\u0430\u0432\u043a\u0435 \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432, \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u043e\u0432 \u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c. Trojan Source \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0432\u043e \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u0430\u0445 \u043a\u043e\u0434\u0430 \u0438 \u0432\u0435\u0431-\u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f\u0445 (\u043e\u0446\u0435\u043d\u0438\u0442\u0435 \u0441\u0430\u043c\u0438 \u043d\u0438\u0436\u0435 \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435)\n \n\u0417\u0430 \u0441\u0432\u043e\u0438 \u0438\u0437\u044b\u0441\u043a\u0430\u043d\u0438\u044f \u043d\u0430\u0443\u0447\u043d\u044b\u0435 \u0434\u0435\u044f\u0442\u0435\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0432 \u0441\u0440\u0435\u0434\u043d\u0435\u043c 2 246 \u0434\u043e\u043b\u043b\u0430\u0440\u043e\u0432 \u043f\u043e bugbounty. \u041d\u0430 GitHub \u043e\u043d\u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u043b\u0438 PoC, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u0443\u044e\u0442, \u043d\u0430\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0439 \u0443\u0433\u0440\u043e\u0437\u043e\u0439 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0430\u0442\u0430\u043a\u0430: \u0442\u0435\u043c \u0431\u043e\u043b\u0435\u0435, \u0447\u0442\u043e Trojan Source \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u043f\u043e\u0447\u0442\u0438 \u0432\u0441\u0435 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043d\u044b\u0435 \u044f\u0437\u044b\u043a\u0438, \u0430 \u043f\u0430\u0442\u0447\u0438 \u0435\u0449\u0435 \u0442\u043e\u043b\u043a\u043e\u043c \u043d\u0435 \u0432\u044b\u043f\u0443\u0449\u0435\u043d\u044b, \u043e\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c\u0438 \u043f\u043e\u0447\u0442\u0438 \u0434\u0432\u0430 \u0434\u0435\u0441\u044f\u0442\u043a\u0430 \u043f\u043e\u0441\u0442\u0430\u0432\u0449\u0438\u043a\u043e\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f.", "creation_timestamp": "2021-11-02T15:50:04.000000Z"}, {"uuid": "abdc5d0c-fda6-48f2-8e37-d32a6dc0aa79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/ckuRED/45", "content": "CVE-2021-42574 - Code generator.\n\nhttps://github.com/js-on/CVE-2021-42574", "creation_timestamp": "2021-11-02T19:56:48.000000Z"}, {"uuid": "153350eb-a818-4e4c-af43-6bc30fbb2973", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/ckuRED/43", "content": "CVE-2021-42574\n\nResearchers devised a new attack method called \u2018Trojan Source\u2019 that allows hide vulnerabilities into the source code of a software project.\n\nhttps://www.trojansource.codes/\n\nDetails: https://securityaffairs.co/wordpress/124081/hacking/trojan-source-attack.html", "creation_timestamp": "2021-11-02T19:49:29.000000Z"}, {"uuid": "95af5226-6cb8-4e27-82a1-26536745c39d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/alexmakus/4361", "content": "\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0438\u0437 \u041a\u0435\u043c\u0431\u0440\u0438\u0434\u0436\u0441\u043a\u043e\u0433\u043e \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442\u0430 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0438 \u0442\u0435\u0445\u043d\u0438\u043a\u0443 \u043d\u0435\u0437\u0430\u043c\u0435\u0442\u043d\u043e\u0439 \u043f\u043e\u0434\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0432 \u0440\u0435\u0446\u0435\u043d\u0437\u0438\u0440\u0443\u0435\u043c\u044b\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u0442\u0435\u043a\u0441\u0442\u044b. \u041f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u043c\u0435\u0442\u043e\u0434 \u0430\u0442\u0430\u043a\u0438 (CVE-2021-42574) \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d \u043f\u043e\u0434 \u0438\u043c\u0435\u043d\u0435\u043c Trojan Source \u0438 \u0431\u0430\u0437\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043d\u0430 \u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u0442\u0435\u043a\u0441\u0442\u0430 \u043f\u043e \u0440\u0430\u0437\u043d\u043e\u043c\u0443 \u0432\u044b\u0433\u043b\u044f\u0434\u044f\u0449\u0435\u0433\u043e \u0434\u043b\u044f \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u0430/\u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u0438 \u0447\u0435\u043b\u043e\u0432\u0435\u043a\u0430, \u043f\u0440\u043e\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u044e\u0449\u0435\u0433\u043e \u043a\u043e\u0434. \u041f\u0440\u0438\u043c\u0435\u0440\u044b \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043c\u0435\u0442\u043e\u0434\u0430 \u043f\u0440\u043e\u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u0434\u043b\u044f \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u043e\u0432 \u0438 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u043e\u0432, \u043f\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0445 \u0434\u043b\u044f \u044f\u0437\u044b\u043a\u043e\u0432 C, C++ (gcc \u0438 clang), C#, JavaScript (Node.js), Java (OpenJDK 16), Rust, Go \u0438 Python.\n\nhttps://opennet.ru/56083/", "creation_timestamp": "2021-11-02T10:34:52.000000Z"}, {"uuid": "dc2db534-68fc-4645-8eab-36e8f53a8252", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "Telegram/QwmctutZhDu7jrXaU5oyRyKKwHKFEtgOupcJXhz2cTVjfw", "content": "", "creation_timestamp": "2021-11-03T15:01:34.000000Z"}, {"uuid": "914718f9-4155-49b4-b29c-5201f514b941", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "Telegram/Iwb1D9IzvS2orK-cp1WadfQSK7-RMozGWg0hCvnc74bOZ8s", "content": "", "creation_timestamp": "2021-11-02T20:27:58.000000Z"}, {"uuid": "ded46284-5428-42de-b55c-d693bac1f2c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/4889", "content": "#Analytics\nTop 10 Most Used Vulns of the Month (Nov 1-30)\nCVE-2021-22205 - GitLab CE/EE RCE\nhttps://t.me/cybersecuritytechnologies/4602\nCVE-2021-30883 - iOS IOMFB Vuln\nhttps://t.me/cybersecuritytechnologies/4497\nCVE-2021-3064 - Memory Corruption in PAN-OS GlobalProtect Portal/Gateway Interfaces\nhttps://t.me/cybersecuritytechnologies/4724\nCVE-2021-41379 - Windows Installer LPE\nhttps://t.me/cybersecuritytechnologies/4813\nCVE-2021-42321 - MS Exchange Post-Auth RCE\nhttps://t.me/cybersecuritytechnologies/4809\nCVE-2021-40539 - Zoho ManageEngine Auth. Bypass\nhttps://t.me/cybersecuritytechnologies/4718\nCVE-2021-41277 - MetaBase Arbitrary File Read\nhttps://t.me/cybersecuritytechnologies/4802\nCVE-2021-43267 - Remote Kernel Heap Overflow in TIPC\nhttps://t.me/cybersecuritytechnologies/4678\nCVE-2021-42574 - Unicode Bidirectional override vuln\nhttps://github.com/js-on/CVE-2021-42574\nhttps://github.com/pierDipi/unicode-control-characters-action\nCVE-2021-24084 - Windows MDM LPE\nhttps://t.me/cybersecuritytechnologies/4850", "creation_timestamp": "2021-12-03T11:00:35.000000Z"}, {"uuid": "61b6d76a-e57e-494e-a911-d9c8f5261c7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://t.me/NeKaspersky/1410", "content": "Trojan Source \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0443\u0433\u0440\u043e\u0437\u0443 \u0434\u043b\u044f \u0441\u043e\u0444\u0442\u0430 \u043f\u043e \u0432\u0441\u0435\u043c\u0443 \u043c\u0438\u0440\u0443 \n\n\u0412\u0447\u0435\u0440\u0430 \u0431\u044b\u043b\u0430 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0430 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u043e\u0432, \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0445 \u043d\u0430  C, C++, C#, Go, Java, JavaScript, Python \u0438 Rust. \u041d\u0435 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u043e, \u0447\u0442\u043e \u0442\u0435\u0445\u043d\u0438\u043a\u0430 \u043d\u0435\u0437\u0430\u043c\u0435\u0442\u043d\u043e\u0439 \u043f\u043e\u0434\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0438 \u0434\u043b\u044f \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u043e\u0432 \u0438 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u043e\u0432 \u0434\u043b\u044f \u0434\u0440\u0443\u0433\u0438\u0445 \u044f\u0437\u044b\u043a\u043e\u0432.  \n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u0440\u0438\u0441\u0432\u043e\u0438\u043b\u0438 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 CVE-2021-42574 . \u0415\u0435 \u0441\u0443\u0442\u044c \u0432 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0438 \u0443\u0441\u043b\u043e\u0432\u0438\u044f \u0434\u043b\u044f \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 \u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u0430\u0445. \u0415\u0441\u043b\u0438 \u0433\u043e\u0432\u043e\u0440\u0438\u0442\u044c \u043f\u0440\u043e\u0449\u0435, \u0442\u043e \u0440\u0430\u0431\u043e\u0442\u0430 Trojan Source \u0441\u043e\u0441\u0442\u043e\u0438\u0442 \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440 \u043d\u0435 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 Unicode-\u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u0430\u0442\u0430\u043a\u0443\u0435\u0442 \u0441\u0440\u0430\u0437\u0443 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0443 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0434\u043b\u044f \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0433\u043e \u0432\u0431\u0440\u043e\u0441\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u043a\u043e\u0434.\n\n\u0420\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u043b\u0430\u0433\u043e\u0434\u0430\u0440\u044f \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044e \u043f\u043e\u0440\u044f\u0434\u043a\u0430 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0447\u0442\u043e\u0431\u044b \u044d\u0442\u043e \u0438\u0437\u043c\u0435\u043d\u0438\u043b\u043e \u0435\u0433\u043e \u043b\u043e\u0433\u0438\u043a\u0443, \u043a\u043e\u0442\u043e\u0440\u0430\u044f, \u0445\u043e\u0442\u044f \u0438 \u0441\u0435\u043c\u0430\u043d\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430, \u043e\u0442\u043b\u0438\u0447\u0430\u0435\u0442\u0441\u044f \u043e\u0442 \u043b\u043e\u0433\u0438\u043a\u0438, \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0439 \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0443\u043f\u043e\u0440\u044f\u0434\u043e\u0447\u0435\u043d\u0438\u0435\u043c \u043c\u0430\u0440\u043a\u0435\u0440\u043e\u0432 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430. \u0421\u0430\u043c\u043e\u0435 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0435 \u0442\u043e, \u0447\u0442\u043e \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u043d\u0435 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u044f\u0442 \u043d\u0438\u043a\u0430\u043a\u0438\u0445 \u0432\u0438\u0437\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0430\u0440\u0442\u0435\u0444\u0430\u043a\u0442\u043e\u0432. \n\n \u041b\u044e\u0431\u043e\u0439 \u0445\u0430\u043a\u0435\u0440 \u0438\u043b\u0438 \u043b\u0430\u043c\u0435\u0440 \u0441\u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0447\u0442\u043e\u0431\u044b \u0437\u0430\u043a\u0438\u043d\u0443\u0442\u044c \u0441\u0432\u043e\u0439 \u043f\u0443\u0441\u0442\u044c \u0434\u0430\u0436\u0435 \u0441\u0430\u043c\u044b\u0439 \u043f\u0440\u043e\u0441\u0442\u043e\u0439 \u043a\u043e\u0434, \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u043e\u0434\u0438\u043d \u0438\u0437 \u0441\u0430\u043c\u044b\u0445 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u044b\u0445 \u044f\u0437\u044b\u043a\u043e\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u043d\u043e \u043d\u0438 \u043e\u0434\u0438\u043d \u0430\u043d\u0430\u043b\u0438\u0442\u0438\u043a \u044d\u0442\u043e\u0433\u043e \u043d\u0435 \u0443\u0432\u0438\u0434\u0438\u0442. \u0412 \u044d\u0442\u043e \u0442\u0440\u0443\u0434\u043d\u043e \u043f\u043e\u0432\u0435\u0440\u0438\u0442\u044c, \u043e\u0434\u043d\u0430\u043a\u043e \u044d\u0442\u043e \u0433\u043e\u0440\u044c\u043a\u0430\u044f \u043f\u0440\u0430\u0432\u0434\u0430.\n\n\u041c\u043e\u0436\u043d\u043e \u043b\u0438 \u0437\u0430\u0449\u0438\u0442\u0438\u0442\u044c\u0441\u044f \u043e\u0442 \u044d\u0442\u043e\u0433\u043e?\u041a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440 \u0438 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u044b, \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0449\u0438\u0435 Unicode-\u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b, \u0434\u043e\u043b\u0436\u043d\u044b \u0441\u0440\u0430\u0437\u0443 \u0436\u0435 \u043f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c \u043e\u0448\u0438\u0431\u043a\u0438 \u0434\u043b\u044f \u0434\u0435\u0442\u0435\u0440\u043c\u0438\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0434\u0432\u0443\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0445 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0438\u0445 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u044f\u0445 \u0438\u043b\u0438 \u0441\u0442\u0440\u043e\u043a\u043e\u0432\u044b\u0445 \u043b\u0438\u0442\u0435\u0440\u0430\u043b\u0430\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0434\u043b\u044f \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u0432 \u0441\u043e \u0441\u043c\u0435\u0448\u0430\u043d\u043d\u044b\u043c\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u0430\u043c\u0438, \u0430 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u043e\u0433\u043e \u044f\u0437\u044b\u043a\u0430 \u0437\u0430\u043f\u0440\u0435\u0449\u0430\u0442\u044c \u043d\u0435\u0443\u0442\u043e\u0447\u043d\u0435\u043d\u043d\u044b\u0435 \u0434\u0432\u0443\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0435 \u0441\u0438\u043c\u0432\u043e\u043b\u044b \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u044f\u0445.\n\n\u041f\u043e\u043a\u0430 \u0447\u0442\u043e \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044e \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0442\u043e\u0440\u043e\u0432 \u0438 \u043e\u0447\u0438\u0441\u0442\u043a\u0435 \u0431\u0430\u0437\u043e\u0432\u044b\u0445 \u043a\u043e\u0434\u043e\u0432 \u043e\u0442 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0445 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0438 \u0442\u043e\u043b\u044c\u043a\u043e \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0438 \u043f\u0440\u043e\u0435\u043a\u0442\u0430 Rust.", "creation_timestamp": "2021-11-02T13:24:33.000000Z"}, {"uuid": "6bba259b-b565-4b31-af8b-99ca01202f32", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/serpi4/aba8a4ee71a0b5033f1f2918195fdd95", "content": "# dev-signals \u2192 dev-a substrate reconciliation \u2014 survey of 12 candidate predicates\n\n**Purpose**: facilitate decision on Option (3) \u2014 bulk reconcile vs sequential re-lift \u2014 by surveying what's actually in the dev-signals substrate.\n\n**Date**: 2026-05-10\n**dev-a tip**: `10defe8c` (3 predicates: FF-22/23/46)\n**dev-signals tip**: `594d3368` (14 predicates: FF-22 + 13 unique)\n**Subject of immediate Q**: FF-39 (excluded from this survey \u2014 assessed separately)\n**Survey target**: 12 dev-signals-only predicates (FF-28/29/34/35/36/37/38/40/41/42/43/45) + a note on FF-22 divergence\n\n&gt; **Why 12 and not 11**: the original Q referenced \"remaining 11\"; counting the actual dev-signals-only set yields 12 (excluding FF-39 + FF-22-which-is-on-both). FF-22 also has a 217-line divergence between dev-a and dev-signals \u2014 included as Annex A.\n\n---\n\n## TL;DR\n\n| Bucket | FFs | Recommendation |\n|---|---|---|\n| **A. Strong-architectural** (clear AC candidate, anchor incidents, generalizing principle) | FF-40, FF-42, FF-43, FF-45 | Port with adaptation \u2014 high signal, modest re-derivation cost |\n| **B. Medium-architectural** (architectural in spirit, but heuristic classification or domain-leaning) | FF-28, FF-29, FF-34, FF-36 | Port if the matching AC slot exists \u2014 lift gate Q1/Q2 will likely pass |\n| **C. Borderline / process-flavored** (might fail Q1 \"is it architectural?\" or Q3 \"anchor evidence?\") | FF-35, FF-37, FF-38, FF-41 | Architectural-lift gate first; some likely demote to integration tests / ADRs / process-FFs |\n| **Subject** | FF-39 | Pick (1) or (2) per separate convo; this gist informs the (3) frame |\n\n**Bucket A** alone is ~5 days of port work (saves ~20+ days of from-scratch lift).\n**Bucket A+B** is ~11 days port (saves ~40+ days from-scratch).\n**Bucket C** likely 1-2 demote out of the lift entirely.\n\n---\n\n## Quick stats (dev-signals predicates)\n\n| FF | LOC | Tier | Kind | Coverage | Scope | Anchor incidents |\n|---|---:|---|---|---|---|---|\n| FF-22 | 273+217=490 | regex | (n/a, on dev-a) | cross-cutting | atomic | TASK-4173, TASK-4204 |\n| FF-28 | 265 | regex | trend (implicit) | cross-cutting | atomic | B1 typo, /admin/ops/* (lessons-learned 2026-04-27) |\n| FF-29 | 164 | regex | trend (implicit) | cross-cutting | holistic | EventOpsNavBlock drop (2026-04-27, ~7d undetected) |\n| FF-34 | 308 | regex | **tripwire** | domain-specific | holistic | TASK-4161, TASK-4291 (ADR-046) |\n| FF-35 | 183 | ast-grep | **tripwire** | domain-specific | atomic | TASK-4307 (ADR-048) |\n| FF-36 | 245 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-37 | 283 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-38 | 501 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-39 | 385 | regex | (subject) | cross-cutting | holistic | (none cited) |\n| FF-40 | 327 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive, ADR-005) |\n| FF-41 | 276 | fs-walk | trend (implicit) | cross-cutting | holistic | (none \u2014 process-FF) |\n| FF-42 | 251 | regex | **tripwire** | cross-cutting | atomic | ZWSP/ICU translator copy-paste class, CVE-2021-42574 |\n| FF-43 | 185 | fs-walk | **trend** (declared) | cross-cutting | holistic | 2026-04-29 ID collision crisis (TASK-4250..4254) |\n| FF-45 | 249 | regex | **trend** (declared) | cross-cutting | holistic | 2026-04-29 retro (no-build-id forensics gap) |\n\n**Total dev-signals-only LOC**: 3,622 across 13 predicates (avg 279 LOC each)\n**Total fixtures across 12 surveyed**: 117 corpus files\n\n---\n\n## Per-FF assessment\n\n### Bucket A \u2014 Strong-architectural (port with high confidence)\n\n#### FF-40 \u2014 BC Coupling Trend (LOC-weighted isolation gradient)\n- **Principle**: ADR-005 \u2014 no cross-BC value imports. Generalizes to \"every BC is a clean island\" \u2014 same shape as Conway's Law decoupling, hexagonal-arch port boundaries.\n- **AC candidate**: **AC-04 \u2014 Module-Boundary Discipline** (charter has placeholder \"Module-boundary discipline \u2014 backed by FF-01, FF-40\").\n- **Lift gate verdict**: PASS. Q1 architectural \u2713 (cross-BC coupling is universal arch concern). Q2 generalizes \u2713 (all 6 BCs). Q3 anchor evidence \u2014 **WEAK** (no specific incidents cited; preventive). Q4 falsifiable \u2713. Q5 escapable via SAFE annotation \u2713. Q6 detector tier appropriate \u2713.\n- **Port effort**: 1-2 days. Logic is solid; needs `kind: 'trend'` declared, AC-04 charter entry, anchor-incident hunt (look at FF-01 v1 violations for backfill).\n- **Note**: substantial overlap with FF-36 (cross-BC events) \u2014 same imports, different scoring. Decide if both port or pick one.\n\n#### FF-42 \u2014 Invisible Unicode Detector\n- **Principle**: source files must contain only printable+intentional characters. Maps to **AC-05 \u2014 Source Integrity / Trojan-Source Defense** (would be a NEW AC).\n- **Lift gate verdict**: PASS. Q1 \u2713 (security boundary, CVE-2021-42574 class). Q2 \u2713 (any source file). Q3 \u2713 (translator copy-paste class, ZWSP equality bugs). Q4 \u2713 (lexical detection). Q5 \u2713 (SAFE annotation). Q6 \u2713 (regex tier appropriate).\n- **Port effort**: 1 day. Already declared `kind: 'tripwire'`. Needs new AC-05 charter entry.\n- **Strongest case in the survey** \u2014 clear bug class, framework-agnostic principle, cheap detection.\n\n#### FF-43 \u2014 Backlog Ticket-ID Uniqueness (trend)\n- **Principle**: ID-space integrity for the project's traceability spine. Maps to **AC-06 \u2014 Traceability** (charter has placeholder \"Traceability \u2014 backed by FF-25, FF-26, FF-43\").\n- **Lift gate verdict**: PASS-with-note. Q1 architectural \u2713 (traceability is a quality attribute per Ford ch.2). Q2 \u2713 (whole backlog). Q3 \u2713 (2026-04-29 collision crisis). Q4 \u2713 (filename detection). Q6 \u2713 (fs-walk).\n- **Note**: technically a **process-FF / Ford-canonical** (not code-architecture). Charter entry would explain that distinction.\n- **Port effort**: 0.5 day. Already declared `kind: 'trend'`. Needs AC-06 entry consolidating with FF-25/26.\n\n#### FF-45 \u2014 Build-Version Exposure (ADR-034 \u00a75)\n- **Principle**: deployed images must be self-identifying for incident forensics. Maps to **AC-07 \u2014 Diagnosability** (charter has placeholder \"Diagnosability \u2014 backed by FF-27, FF-45\").\n- **Lift gate verdict**: PASS. Q1 \u2713 (observability/diagnosability is a textbook architectural characteristic). Q2 \u2713 (every Docker build site). Q3 \u2713 (2026-04-29 retro, build-id forensics gap). Q4 \u2713 (regex). Q6 \u2713.\n- **Port effort**: 1 day. Already declared `kind: 'trend'`. Needs AC-07 entry.\n\n**Bucket A total**: ~4 days port + 4 new AC entries + ~36 corpus fixtures preserved.\n\n---\n\n### Bucket B \u2014 Medium-architectural (port if AC slot exists)\n\n#### FF-28 \u2014 Admin HREF Validity\n- **Principle**: framework-mounted route table is the truth; static hrefs must agree. Maps to existing **AC-02 (Admin-List Primary-Column Navigability)** as a peer invariant, OR a new \"Admin UI Surface Integrity\" AC consolidating FF-28/29.\n- **Lift gate verdict**: PASS. Q1 \u2713 (mental-model-drift class generalizes). Q2 \u2713 (cross-BC). Q3 \u2713 (B1 typo, /admin/ops/* drops). Q4-Q6 \u2713.\n- **Port effort**: 1.5 days. Route registry needs refresh (hardcoded snapshot from 2026-05-03 \u2014 likely already stale on dev-a). No `kind:` declared \u2192 needs `tripwire` (each broken href = silent regression).\n- **Risk**: route registry maintenance cost \u2014 every collection slug change requires an update. Could be auto-derived from payload.config.ts.\n\n#### FF-29 \u2014 Admin Shell Wiring\n- **Principle**: components that don't get referenced from config are dead. Companion to FF-19. Same AC slot as FF-28 (Admin UI Surface Integrity).\n- **Lift gate verdict**: PASS. Q1 \u2713. Q2 \u2713 (any shell component). Q3 \u2713 (EventOpsNavBlock incident). Q4-Q6 \u2713.\n- **Port effort**: 1 day. Probably consolidate with FF-28 into one \"admin-config-vs-code drift\" lift.\n\n#### FF-34 \u2014 Invariant Parity (ADR-046 cross-layer enforcement)\n- **Principle**: if you publish a pure invariant module, it must be consumed by both server hooks AND client UI (otherwise bare PATCH bypasses the gate). **Already declared `kind: 'tripwire'`**.\n- **AC candidate**: NEW \u2014 **AC-08 \u2014 Cross-Layer Enforcement Discipline** (would map to \"tripwire FF for ADR-046 violations\"). Or fold into a broader \"Approval Pipeline Input Fidelity\" extension (AC-01 already exists for FF-46 \u2014 but that's about preservation, not parity).\n- **Lift gate verdict**: PASS, but Q1 is borderline. Axes declares `coverage: 'domain-specific'` \u2014 acknowledging the rule is project-specific (ADR-046 + ADR-006). Q2 generalizes across BCs \u2713 (any pure-invariant module). Q3 \u2713 (TASK-4161, TASK-4291).\n- **Port effort**: 2 days. Architectural-lift gate Q1 will need defense \u2014 \"is this architectural or domain?\" The principle (cross-layer enforcement of pure functions) is architectural; the specific mechanism (ADR-046 module convention) is project-specific. Frame it as ADR-046 \u2192 arch char.\n\n#### FF-36 \u2014 Cross-BC Event Coverage\n- **Principle**: cross-BC interactions must mediate via eventBus, not direct imports. Same AC-04 as FF-40 (or sibling).\n- **Lift gate verdict**: PASS. Q1-Q6 mirror FF-40.\n- **Port effort**: 1.5 days. **Note overlap with FF-40** \u2014 they detect the same import pattern but score differently (FF-36 = D/(D+E), FF-40 = LOC-ratio). Worth deciding if both add signal or one is redundant.\n\n**Bucket B total**: ~6 days port if all four ported; could collapse to ~4 days if FF-28+29 merged and FF-36/40 merged.\n\n---\n\n### Bucket C \u2014 Borderline / process-flavored\n\n#### FF-35 \u2014 State-Transition Idiom (ADR-048)\n- **Principle**: `dispatchFields` is racy under React 18 batching \u2192 use `submit({ overrides })`. Already declared `kind: 'tripwire'`.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 the rule is **specific to one Payload UI primitive in one BC pattern** (admin gate components). Q2 generalizes across \"transition fields\" but only within Payload admin gates. The principle (avoid stale-snapshot reads) is architectural; the specific manifestation is narrow.\n- **Recommendation**: **lift gate first** \u2014 likely demotes to ADR-048 enforcement test, not a top-level FF. Or keep as a tripwire under a \"React Concurrency Discipline\" AC if other patterns surface.\n- **Port effort if kept**: 1 day.\n\n#### FF-37 \u2014 Hook Side-Effect Declarativeness\n- **Principle**: hooks should be EMITS / AUDIT_WRITES / PURE / OPAQUE; declarative ratio measures architectural debt.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 declarativeness IS an architectural characteristic. Q3 \u2014 **no anchor incidents cited**. Q4 \u2014 classification heuristic is fragile (e.g., \"import-anchored publish() detection\" can false-positive/negative).\n- **Recommendation**: lift gate first. Likely outcome: defer until anchor incidents surface OR demote to \"hook code review checklist\" via `.claude/skills/`. The 4-class classification has subjective edges.\n- **Port effort if kept**: 2 days.\n\n#### FF-38 \u2014 Access Control Completeness\n- **Principle**: scope filters (Where conditions) are stronger than role-only checks. Score = STRONG / total.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2713 (security boundary). Q3 \u2014 **no anchor incident**; this is a preventive gradient. Q4 \u2014 STRONG vs ROLE_ONLY classification is heuristic and false-positive prone (e.g., a role check inside `where:` clause might miscount). Q6 \u2014 501 LOC suggests the heuristic is fragile.\n- **Recommendation**: lift gate first. Probably lands as report-only-forever \u2014 useful as a surveillance metric but not a tripwire. Could re-frame as ADR-009 enforcement audit.\n- **Port effort if kept**: 2 days. Highest LOC in the set.\n\n#### FF-41 \u2014 Invariant Test Coverage Gradient (per-BC)\n- **Principle**: every BC has \u22651 invariant test. Companion to FF-09.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 this is a **process-FF** (Ford ch.2 \u00a7Coverage uses these for governance, not arch). Q3 no anchor incident. The principle (\"all BCs have tests\") is testing hygiene, not architectural integrity.\n- **Recommendation**: **probably DON'T port as architectural FF.** Either keep as a `kind: 'process'` (introduce that classifier), or demote to a CI gate alongside `pnpm test`.\n- **Port effort if kept**: 1 day.\n\n**Bucket C verdict**: 1-2 of these likely get demoted/deferred during the gate pass. Saves 4-6 days vs porting all.\n\n---\n\n## Recommended phasing IF (3) is chosen\n\n**Tier-1 Reconcile (sprint 1, ~5 days)** \u2014 port Bucket A:\n- FF-40 + FF-42 + FF-43 + FF-45\n- Charter additions: AC-04 (Module-Boundary), AC-05 (Source Integrity), AC-06 (Traceability), AC-07 (Diagnosability)\n- Single audit PR + 4 port PRs\n\n**Tier-2 Reconcile (sprint 2, ~6 days)** \u2014 port Bucket B:\n- FF-28+29 merged into one Admin Surface Integrity lift\n- FF-34 (cross-layer enforcement)\n- FF-36 (decide vs FF-40 overlap)\n- Charter: AC-08 + AC-09 (or consolidate into AC-04)\n\n**Tier-3 Reconcile (sprint 3, ~3 days)** \u2014 Bucket C lift-gate:\n- Run architectural-lift Q1-Q6 gate on FF-35/37/38/41\n- Output: Demote 1-2 to process FFs / ADR-only / regression tests; port the survivors\n- Likely: keep FF-35 (already tripwire-classified), demote FF-41 to process-FF, defer FF-37/38 until anchor incidents\n\n**Total Tier-1+2+3**: ~14 days for ~10 ported predicates + 5-6 new AC charter entries + ~110 corpus fixtures preserved.\n\n**Compare to from-scratch sequential** (the dev-a \"drop-and-rederive\" plan): ~5 days \u00d7 13 FFs = ~65 days at the FF-23 cadence. Net savings from (3): ~50 days.\n\n---\n\n## Decision matrix \u2014 (1) vs (2) vs (3)\n\n|  | (1) Port FF-39 only | (2) Rebuild FF-39 from scratch | (3) Reconcile substrates first |\n|---|---|---|---|\n| Time to ship FF-39 | ~1.5 days | ~4 days | ~6 days (1.5 audit + Tier-1 Bucket A includes FF-39) |\n| Strategy clarity | Low \u2014 repeats decision 12 more times | Medium \u2014 each FF gets fresh gate | **High** \u2014 decide once, execute |\n| Lift-gate value | Skipped retroactively | Applied per-FF | **Applied across substrate** \u2014 discovers patterns |\n| AC charter completeness | +1 entry (AC-04) | +1 entry (AC-04) | **+5-6 entries** (AC-04..09) |\n| Risk if FF-40/42/43/45 get stale | Low (will be re-lifted later) | Low | **Eliminates risk** \u2014 they all land |\n| PR count to clear backlog | 1 now + 12 later = 13 PRs | 1 now + 12 later = 13 PRs | 1 audit + ~10 port = ~11 PRs |\n| Effort cost if you only want FF-39 | **Lowest** | High | Highest (sunk cost on Bucket A/B even if you don't use them) |\n| Effort cost if you want full v2 | **Highest** (sequential drag) | Highest (rebuild \u00d7 13) | **Lowest** (~14 days vs ~65 days) |\n\n---\n\n## Annex A \u2014 FF-22 divergence\n\ndev-signals has a **217-line larger FF-22** than dev-a (490 LOC vs 273 LOC). dev-a's version is the architectural-lift output of PR #18537. dev-signals' version pre-dates it \u2014 likely has the calibration logic from PR #18410 sidecar phase 1 plus subsequent fixes.\n\n**Decision needed regardless of (1)/(2)/(3)**: which FF-22 wins on dev-a if dev-signals work ever merges? Recommend: dev-a's version (architectural-lift-gated) is canonical; dev-signals' version absorbs its delta into adversarial corpus fixtures or gets discarded.\n\n---\n\n## My recommendation\n\nIf the goal is **\"v2 substrate complete in &lt;1 month\"** \u2192 **(3) Reconcile**, executing Tier-1 first (covers FF-39 + 3 high-value Bucket A FFs).\n\nIf the goal is **\"FF-39 specifically because of an anchor incident I haven't surfaced yet\"** \u2192 **(1) Port**, then defer the rest until an actual incident demands a port.\n\nIf the goal is **\"force every FF through the architectural-lift gate ceremony\"** \u2192 **(2) Rebuild**, accepting the ~65-day re-lift cost.\n\nThe **Bucket A** FFs (FF-40/42/43/45) are unambiguously high-value \u2014 the question for (3) is mainly whether to take them now or accept they'll get sequentially re-lifted later anyway. Each month of delay = month of dev-signals work being increasingly stale (the sidecar branch hasn't been touched since 2026-05-04 PR #18410, and dev-a has diverged 57 commits ahead \u2014 including substantial test reorganization).\n", "creation_timestamp": "2026-05-10T19:16:47.000000Z"}]}