{"id":54129,"date":"2023-10-12T13:47:43","date_gmt":"2023-10-12T13:47:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35113\/1-Click-RCE-On-GNOME-Via-libcue.html"},"modified":"2023-10-12T13:47:43","modified_gmt":"2023-10-12T13:47:43","slug":"1-click-rce-on-gnome-via-libcue","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/","title":{"rendered":"1-Click RCE On GNOME Via libcue"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <link rel=\"profile\" href=\"https:\/\/gmpg.org\/xfn\/11\"> <link rel=\"icon\" type=\"image\/x-icon\" href=\"https:\/\/github.githubassets.com\/favicon.ico\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.2 (Yoast SEO v21.2) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641) &#8211; The GitHub Blog<\/title> <meta name=\"description\" content=\"CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.\"> <link rel=\"canonical\" href=\"https:\/\/github.blog\/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)\"> <meta property=\"og:description\" content=\"CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.\"> <meta property=\"og:url\" content=\"https:\/\/github.blog\/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641\/\"> <meta property=\"og:site_name\" content=\"The GitHub Blog\"> <meta property=\"article:published_time\" content=\"2023-10-09T17:00:41+00:00\"> <meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png\"> <meta property=\"og:image:width\" content=\"1200\"> <meta property=\"og:image:height\" content=\"630\"> <meta property=\"og:image:type\" content=\"image\/png\"> <meta name=\"author\" content=\"Kevin Backhouse\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:label1\" content=\"Written by\"> <meta name=\"twitter:data1\" content=\"Kevin Backhouse\"> <meta name=\"twitter:label2\" content=\"Est. reading time\"> <meta name=\"twitter:data2\" content=\"8 minutes\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdnjs.cloudflare.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/analytics.githubassets.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/stats.wp.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/v0.wordpress.com\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"The GitHub Blog \u00bb Feed\" href=\"https:\/\/github.blog\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"The GitHub Blog \u00bb Comments Feed\" href=\"https:\/\/github.blog\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/github.blog\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1697142927g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/github.blog\/wp-content\/themes\/github-2021\/assets\/css\/site.min.css?m=1696345416g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"highlightjs-css-css\" href=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/styles\/default.min.css?ver=11.4.0\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/github.blog\/wp-content\/mu-plugins\/jetpack-12.6\/css\/jetpack.css?m=1696961177g\" type=\"text\/css\" media=\"all\">\n<link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/github.blog\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/74613\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/github.blog\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.2\">\n<link rel=\"shortlink\" href=\"https:\/\/wp.me\/pamS32-jpr\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/github.blog\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fgithub.blog%2F2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/github.blog\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fgithub.blog%2F2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641%2F&amp;format=xml\"> <meta name=\"ha-url\" content=\"https:\/\/collector.githubapp.com\/github-blog\/collect\"><link rel=\"preload\" href=\"https:\/\/github.blog\/wp-content\/themes\/github-2021\/assets\/fonts\/alliance\/Alliance-No-1-ExtraBold.woff2\" as=\"font\" type=\"font\/woff2\" crossorigin=\"anonymous\"><link rel=\"preload\" href=\"https:\/\/github.blog\/wp-content\/themes\/github-2021\/assets\/fonts\/alliance\/Alliance-No-1-Bold.woff2\" as=\"font\" type=\"font\/woff2\" crossorigin=\"anonymous\"><link rel=\"preload\" href=\"https:\/\/github.blog\/wp-content\/themes\/github-2021\/assets\/fonts\/alliance\/Alliance-No-1-Regular.woff2\" as=\"font\" type=\"font\/woff2\" crossorigin=\"anonymous\"><link rel=\"icon\" href=\"https:\/\/github.blog\/wp-content\/uploads\/2019\/01\/cropped-github-favicon-512.png?fit=32%2C32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/github.blog\/wp-content\/uploads\/2019\/01\/cropped-github-favicon-512.png?fit=192%2C192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/github.blog\/wp-content\/uploads\/2019\/01\/cropped-github-favicon-512.png?fit=180%2C180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2019\/01\/cropped-github-favicon-512.png?fit=270%2C270\"><br \/>\n<\/head><body class=\"post-template-default single single-post postid-74613 single-format-standard font-mktg no-sidebar\" id=\"readabilityBody\"> <\/p>\n<section class=\"position-relative\" data-color-mode=\"dark\" data-light-theme=\"light\" data-dark-theme=\"dark_dimmed\">\n<div class=\"container-xl p-responsive-blog\">\n<div class=\"gutter-spacious pt-1 \" readability=\"6.685393258427\">\n<div class=\"col-12 offset-lg-1 col-lg-10 col-xl-7 mt-5 mt-lg-10 mb-6 mb-lg-8\" readability=\"8.5955056179775\">\n<p class=\"f4-mktg\">CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.<\/p>\n<\/p><\/div>\n<div class=\"offset-lg-1 col-lg-10\">\n<div class=\"position-relative z-1\"> <svg aria-hidden=\"true\" width=\"1032\" height=\"548\" class=\"width-full height-auto d-block\" \/><\/svg> <img loading=\"lazy\" decoding=\"async\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png?resize=800%2C425 800w, https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png?resize=1200%2C630 1600w\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png?resize=1200%2C630\" width=\"1600\" height=\"850\" alt=\"Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)\" class=\"cover-image rounded-2\"> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/section>\n<section class=\"container-xl mx-auto p-responsive-blog\">\n<div class=\"gutter-spacious\">\n<div class=\"col-12 offset-lg-1 col-lg-10\">\n<p>Author<\/p>\n<div class=\"d-flex flex-nowrap pb-1 flex-items-start\"> <time datetime=\"2023-10-09\" class=\"d-block border-left flex-shrink-0 text-mono f5-mktg color-fg-muted mb-3\"> October 9, 2023 <\/time> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/section>\n<div class=\"container-xl mx-auto p-responsive-blog mt-4 mt-md-7 mb-7 mb-md-9\">\n<div class=\"d-flex flex-wrap gutter-spacious\"> <main role=\"main\" id=\"post-74613\" class=\"col-12 col-lg-7 post__content col-md-8 post-74613 post type-post status-publish format-standard has-post-thumbnail hentry category-security tag-github-security-lab\"> <html readability=\"85.716177861873\"><body readability=\"171.77084431327\"><\/p>\n<p>Today, in coordination with <a href=\"https:\/\/github.com\/lipnitsk\">Ilya Lipnitskiy<\/a> (the maintainer of libcue) and the <a href=\"https:\/\/oss-security.openwall.org\/wiki\/mailing-lists\/distros\">distros mailing list<\/a>, the GitHub Security Lab is disclosing <a href=\"https:\/\/github.com\/lipnitsk\/libcue\/security\/advisories\/GHSA-5982-x7hv-r9cj\">CVE-2023-43641<\/a>, a memory corruption vulnerability in <a href=\"https:\/\/github.com\/lipnitsk\/libcue\">libcue<\/a>. We have also sent a text-only version of this blog post to the <a href=\"https:\/\/oss-security.openwall.org\/wiki\/mailing-lists\/oss-security\">oss-security list<\/a>.<\/p>\n<p>It\u2019s quite likely that you have never heard of libcue before, and are wondering why it\u2019s important. This situation is neatly illustrated by <a href=\"https:\/\/xkcd.com\/2347\/\">xkcd 2347<\/a>:<\/p>\n<p><a href=\"https:\/\/xkcd.com\/2347\/\"><img decoding=\"async\" fetchpriority=\"high\" src=\"https:\/\/i0.wp.com\/imgs.xkcd.com\/comics\/dependency.png?resize=385%2C489&amp;ssl=1\" width=\"385\" height=\"489\" class=\"aligncenter size-thumbnail\" loading=\"lazy\" data-recalc-dims=\"1\"><\/a><\/p>\n<p>libcue is a library used for parsing <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cue_sheet_%28computing%29\">cue sheets<\/a>\u2014a metadata format for describing the layout of the tracks on a CD. Cue sheets are often used in combination with the <a href=\"https:\/\/en.wikipedia.org\/wiki\/FLAC\">FLAC<\/a> audio file format, which means that libcue is a dependency of some audio players, such as <a href=\"https:\/\/audacious-media-player.org\/\">Audacious<\/a>. But the reason why I decided to audit libcue for security vulnerabilities is that it\u2019s used by <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\">tracker-miners<\/a>: an application that\u2019s included with <a href=\"https:\/\/www.gnome.org\/\">GNOME<\/a>\u2014the default graphical desktop environment of many open source operating systems.<sup id=\"fnref-74613-1\"><\/sup> The purpose of tracker-miners is to index the files in your home directory to make them easily searchable. For example, the index is used by this search bar:<\/p>\n<p class=\"has-image\"><img decoding=\"async\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=1024&amp;resize=1024%2C576\" alt width=\"1024\" height=\"576\" class=\"aligncenter size-large wp-image-74617 width-fit\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=1600 1600w, https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=300 300w, https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=768 768w, https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=1024&amp;resize=1024%2C576 1024w, https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/rickastley.png?w=1536 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" loading=\"lazy\" data-recalc-dims=\"1\"><\/p>\n<p>The index is automatically updated when you add or modify a file in certain subdirectories of your home directory, in particular including <code>~\/Downloads<\/code>. To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer:<\/p>\n<p>The video shows me clicking a link in a webpage<sup id=\"fnref-74613-2\"><\/sup>, which causes a cue sheet to be downloaded. Because the file is saved to <code>~\/Downloads<\/code>, it is then automatically scanned by tracker-miners. And because it has a <code>.cue<\/code> filename extension, tracker-miners uses libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution and pop a calculator. Cue sheets are just one of <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/tree\/83054c8c145f12c83289e6c424f55b87a5b609d9\/src\/tracker-extract\">many<\/a> file formats supported by tracker-miners. For example, it also includes scanners for <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/blob\/83054c8c145f12c83289e6c424f55b87a5b609d9\/src\/tracker-extract\/tracker-extract-html.c\">HTML<\/a>, <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/blob\/83054c8c145f12c83289e6c424f55b87a5b609d9\/src\/tracker-extract\/tracker-extract-jpeg.c\">JPEG<\/a>, and <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/blob\/83054c8c145f12c83289e6c424f55b87a5b609d9\/src\/tracker-extract\/tracker-extract-pdf.c\">PDF<\/a>.<\/p>\n<p>I am delaying publication of the proof of concept (PoC) used in the video, to give users time to install the patch. But if you\u2019d like to test if your system is vulnerable, try downloading <a href=\"https:\/\/github.com\/github\/securitylab\/blob\/3cb0ebc37170149ef5e91a3bd641631c4eeedd06\/SecurityExploits\/libcue\/track_set_index_CVE-2023-43641\/CVE-2023-43641-poc-simple.cue\">this file<\/a>, which contains a much simpler version of the PoC that merely causes a (benign) crash.<\/p>\n<p>The offsets in the full PoC need to be tuned for different distributions. I have <em>only<\/em> done this for Ubuntu 23.04 and Fedora 38, the most recent releases of <a href=\"https:\/\/ubuntu.com\/\">Ubuntu<\/a> and <a href=\"https:\/\/fedoraproject.org\/\">Fedora<\/a> at this time. In my testing, I have found that the PoC works very reliably when run on the correct distribution (and will trigger a SIGSEGV when run on the wrong distribution). I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable.<\/p>\n<h2 id=\"the-bug-in-libcue\">The bug in libcue<\/h2>\n<p>libcue is quite a small project. It\u2019s primarily a <a href=\"https:\/\/www.gnu.org\/software\/bison\">bison<\/a> grammar for cue sheets, with a few data structures for storing the parsed data. A simple example of a cue sheet looks like this:<\/p>\n<pre><code>REM GENRE \"Pop, dance pop\"\nREM DATE 1987\nPERFORMER \"Rick Astley\"\nTITLE \"Whenever You Need Somebody\"\nFILE \"Whenever You Need Somebody.mp3\" MP3 TRACK 01 AUDIO TITLE \"Never Gonna Give You Up\" PERFORMER \"Rick Astley\" SONGWRITER \"Mike Stock, Matt Aitken, Pete Waterman\" INDEX 01 00:00:00 TRACK 02 AUDIO TITLE \"Whenever You Need Somebody\" PERFORMER \"Rick Astley\" SONGWRITER \"Mike Stock, Matt Aitken, Pete Waterman\" INDEX 01 03:35:00\n<\/code><\/pre>\n<p>The vulnerability is in the handling of the <code>INDEX<\/code> syntax. Replacing one of those <code>INDEX<\/code> statements with this will trigger the bug:<\/p>\n<pre><code>INDEX 4294567296 0\n<\/code><\/pre>\n<p>There are two parts to the problem. The first is that the scanner (<a href=\"https:\/\/github.com\/lipnitsk\/libcue\/blob\/1b0f3917b8f908c81bb646ce42f29cf7c86443a1\/cue_scanner.l#L132\">cue_scanner.l, line 132<\/a>) uses <code><a href=\"https:\/\/manpages.ubuntu.com\/manpages\/jammy\/en\/man3\/atoi.3.html\">atoi<\/a><\/code> to scan the integers:<\/p>\n<pre><code>[[:digit:]]+ { yylval.ival = atoi(yytext); return NUMBER; }\n<\/code><\/pre>\n<p><code>atoi<\/code> does not check for integer overflow, so it is easy to construct a negative index. For example, 4294567296 is converted to -400000 by <code>atoi<\/code>.<\/p>\n<p>The second part of the problem (and this is the actual vulnerability) is that <code><a href=\"https:\/\/github.com\/lipnitsk\/libcue\/blob\/1b0f3917b8f908c81bb646ce42f29cf7c86443a1\/cd.c#L340-L348\">track_set_index<\/a><\/code> does not check that <code>i \u2265 0<\/code>:<\/p>\n<pre><code>void track_set_index(Track *track, int i, long ind)\n{ if (i &gt; MAXINDEX) { fprintf(stderr, \"too many indexes\\n\"); return; } track-&gt;index[i] = ind;\n}\n<\/code><\/pre>\n<p>If <code>i<\/code> is negative, then this code can write to an address outside the bounds of the array. Since the value of <code>ind<\/code> is also attacker-controlled, this is a very powerful vulnerability.<\/p>\n<p>The bug is simple to fix by adding an extra condition to the if-statement in <code>track_set_index<\/code>. This is the proposed patch:<\/p>\n<pre><code>diff --git a\/cd.c b\/cd.c\nindex cf77a18..4bbea19 100644\n--- a\/cd.c\n+++ b\/cd.c\n@@ -339,7 +339,7 @@ track_get_rem(const Track* track) void track_set_index(Track *track, int i, long ind) {\n- if (i &gt; MAXINDEX) {\n+ if (i &lt; 0 || i &gt; MAXINDEX) { fprintf(stderr, \"too many indexes\\n\"); return; }\n<\/code><\/pre>\n<h2 id=\"more-about-tracker-miners\">More about tracker-miners<\/h2>\n<p>I want to be clear that this bug is <em>not<\/em> a vulnerability in tracker-miners. But I have focused on tracker-miners because it magnifies the impact of this bug due to the way that it automatically scans the files in your <code>~\/Downloads<\/code> directory.<\/p>\n<p>tracker-miners consists of two processes:<\/p>\n<ol>\n<li>tracker-miner-fs<\/li>\n<li>tracker-extract<\/li>\n<\/ol>\n<p>The first, tracker-miner-fs, is a background process which is always running, whereas the second, tracker-extract, is only started on demand to scan new files. tracker-miner-fs uses <a href=\"https:\/\/manpages.ubuntu.com\/manpages\/jammy\/en\/man7\/inotify.7.html\">inotify<\/a> to monitor specific directories, such as <code>~\/Downloads<\/code>, <code>~\/Music<\/code>, and <code>~\/Videos<\/code>. When a new file is created, it launches tracker-extract to scan the file. tracker-extract sends the results back to tracker-miner-fs (which maintains the index) and then usually shuts down again after a few seconds. The vulnerability only affects tracker-extract, because that\u2019s where libcue is used. Both processes run as the current user, so this vulnerability would need to be chained with a separate privilege escalation vulnerability for an attacker to gain admin privileges.<\/p>\n<p>The vulnerability will not trigger if tracker-miners is not running. To check if it is, I use the command <code>ps aux | grep track<\/code>. It usually shows that tracker-miner-fs is running and that tracker-extract isn\u2019t. If <em>neither<\/em> is running (which I think is rare), then using the search bar (press the \u201csuper\u201d key and type something) should automatically restart tracker-miner-fs. As far as I know, tracker-miners is quite tightly integrated into GNOME, so there\u2019s no easy way to switch it off. There\u2019s certainly nothing like a simple checkbox in the settings dialog. There\u2019s some discussion <a href=\"https:\/\/askubuntu.com\/a\/1187273\">here<\/a> about how to switch it off by modifying your systemd configuration.<\/p>\n<p>The two-process architecture of tracker-miners is helpful for exploitation. Firstly, it\u2019s much easier to predict the memory layout in a freshly started process than in one that\u2019s already been running for hours, so the fact that tracker-extract is only started on-demand is very convenient. Even better, tracker-extract always creates a fresh thread to scan the downloaded file, and I\u2019ve found that the heap layout in the thread\u2019s malloc arena is <em>very<\/em> consistent: it varies between distributions, so, for example, Ubuntu 23.04 has a slightly different layout than Fedora 38, but on the same distribution the layout is identical every single time. Secondly, because tracker-extract is restarted on demand, an attacker could potentially crash it many times until their exploit succeeds. Due to the consistency of the heap layout, I\u2019ve found that my exploit works very reliably without needing to use this, but I could imagine an attacker loading a zip file with thousands of copies of their exploit to increase their chance of success when the victim unzips the download.<\/p>\n<h3 id=\"tracker-miners-seccomp-sandbox-escape\">tracker-miners seccomp sandbox escape<\/h3>\n<p>The difficult part of exploiting this vulnerability was finding a way to bypass <a href=\"https:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\">ASLR<\/a>. But what I <em>didn\u2019t<\/em> realize when I started writing the PoC, is that tracker-extract also has a <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/blob\/83054c8c145f12c83289e6c424f55b87a5b609d9\/src\/libtracker-miners-common\/tracker-seccomp.c\">seccomp sandbox<\/a> which is intended to prevent this kind of exploit from working. It was a nasty surprise when I thought I had all the pieces in place for a working PoC and it failed with the error message: <code>Disallowed syscall \"close_range\" caught in sandbox<\/code>. But I still failed to understand that I was attempting a sandbox escape here. I just thought I needed to take a different code path that didn\u2019t use the <code>close_range<\/code> function. So I tried a different route, it worked, and I didn\u2019t give it any more thought until the GNOME developers asked how I\u2019d managed to escape the sandbox. It turned out that I\u2019d discovered the escape entirely by accident: while I was working on the new route, I unwittingly made a change to the PoC that solved it. I have since discovered that I could have got the original PoC working with a one-line change. I\u2019ll go into more detail on this in a follow-up blog post when I publish the PoC, but for now I\u2019ll just mention that, in response to this, <a href=\"https:\/\/gitlab.gnome.org\/carlosg\">Carlos Garnacho<\/a> has very quickly implemented <a href=\"https:\/\/gitlab.gnome.org\/GNOME\/tracker-miners\/-\/commit\/f0c880a0ec0e650dbdc037c59e58e07442f82fef\">some changes<\/a> to strengthen the sandbox, which will prevent this exploitation path from working in the future.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Sometimes a vulnerability in a seemingly innocuous library can have a large impact. Due to the way that it\u2019s used by tracker-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, please update today!<\/p>\n<p>I\u2019m delaying the release of the full PoC to give users time to install the update, but planning to publish a follow-up blog post soon with details of how the full PoC works. Save an unpatched VM with Ubuntu 23.04 or Fedora 38 if you\u2019d like to test the full PoC when I release it.<\/p>\n<h4 id=\"notes\">Notes<\/h4>\n<p> <\/body> <\/html><\/main> <\/div>\n<\/div>\n<section class=\"related-posts container-xl mx-auto p-responsive-blog\">\n<h2 class=\"h5-mktg border-bottom pb-3 mb-lg-3\"> Related posts <\/h2>\n<\/section>\n<section class=\"recirculation-modules container-xl mx-auto p-responsive-blog\">\n<h2 class=\"h5-mktg border-bottom pb-3 mb-lg-1\"> Explore more from GitHub <\/h2>\n<div class=\"d-flex flex-wrap gutter-condensed\">\n<div class=\"col-12 col-md-6 col-lg-3 d-flex mt-4 mt-lg-6\" readability=\"5.8157894736842\">\n<div class=\"rounded-2 color-bg-subtle d-flex flex-column flex-items-start width-full f4-mktg color-fg-muted\" readability=\"7.1578947368421\"> <img decoding=\"async\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/05\/security.svg\" width=\"44\" height=\"44\" class=\"width-auto d-block mb-3\" loading=\"lazy\" alt=\"Security\"> <\/p>\n<h3 class=\"color-fg-default mb-3\">Security<\/h3>\n<p> Secure platform, secure data. Everything you need to make security your #1. <\/p>\n<\/p><\/div>\n<\/div>\n<div class=\"col-12 col-md-6 col-lg-3 d-flex mt-4 mt-lg-6\" readability=\"6.0743801652893\">\n<div class=\"rounded-2 color-bg-subtle d-flex flex-column flex-items-start width-full f4-mktg color-fg-muted\" readability=\"7.8099173553719\"> <img decoding=\"async\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/08\/Icon-Circle.svg\" width=\"44\" height=\"44\" class=\"width-auto d-block mb-3\" loading=\"lazy\" alt=\"GitHub Universe 2023\"> <\/p>\n<h3 class=\"color-fg-default mb-3\">GitHub Universe 2023<\/h3>\n<p> Get free virtual tickets to the global developer event for AI, security, and DevEx. <\/p>\n<\/p><\/div>\n<\/div>\n<div class=\"col-12 col-md-6 col-lg-3 d-flex mt-4 mt-lg-6\" readability=\"5.047619047619\">\n<div class=\"rounded-2 color-bg-subtle d-flex flex-column flex-items-start width-full f4-mktg color-fg-muted\" readability=\"5.8888888888889\"> <img decoding=\"async\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/05\/Copilot_Blog_Icon-1.svg\" width=\"44\" height=\"44\" class=\"width-auto d-block mb-3\" loading=\"lazy\" alt=\"GitHub Copilot\"> <\/p>\n<h3 class=\"color-fg-default mb-3\">GitHub Copilot<\/h3>\n<p> Don&#8217;t fly solo. Try 30 days for free. <\/p>\n<\/p><\/div>\n<\/div>\n<div class=\"col-12 col-md-6 col-lg-3 d-flex mt-4 mt-lg-6\" readability=\"5.0322580645161\">\n<div class=\"rounded-2 color-bg-subtle d-flex flex-column flex-items-start width-full f4-mktg color-fg-muted\" readability=\"5.8709677419355\"> <img decoding=\"async\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2022\/05\/careers.svg\" width=\"44\" height=\"44\" class=\"width-auto d-block mb-3\" loading=\"lazy\" alt=\"Work at GitHub!\"> <\/p>\n<h3 class=\"color-fg-default mb-3\">Work at GitHub!<\/h3>\n<p> <span>Check out our current job openings.<\/span> <\/p>\n<\/p><\/div>\n<\/div><\/div>\n<\/section>\n<div data-color-mode=\"dark\" data-light-theme=\"light\" data-dark-theme=\"dark\">\n<section id=\"newsletter\" class=\"color-bg-subtle py-6 py-lg-8\">\n<div class=\"container-xl p-responsive-blog\">\n<div class=\"newsletter rounded-2\">\n<div class=\"d-flex flex-row flex-wrap color-bg-subtle rounded-2\" readability=\"6.5130434782609\">\n<div class=\"pl-6 pr-6 pl-lg-7 pr-lg-7 py-6 py-lg-7 col-12 col-lg-6 col-xl-7\" readability=\"9\">\n<h2 class=\"h4-mktg color-fg-default\"> Subscribe to The GitHub Insider<\/h2>\n<p class=\"f3-mktg color-fg-muted mt-2 mb-0\">Discover tips, technical guides, and best practices in our monthly newsletter for developers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/section><\/div>\n<p> <\/body> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35113\/1-Click-RCE-On-GNOME-Via-libcue.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":54130,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[3707],"class_list":["post-54129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinelinuxflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-12T13:47:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png?resize=1200%2C630\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"1-Click RCE On GNOME Via libcue\",\"datePublished\":\"2023-10-12T13:47:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/\"},\"wordCount\":1511,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/1-click-rce-on-gnome-via-libcue.png\",\"keywords\":[\"headline,linux,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/\",\"name\":\"1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/1-click-rce-on-gnome-via-libcue.png\",\"datePublished\":\"2023-10-12T13:47:43+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/1-click-rce-on-gnome-via-libcue.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/1-click-rce-on-gnome-via-libcue.png\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/1-click-rce-on-gnome-via-libcue\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,linux,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinelinuxflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"1-Click RCE On GNOME Via libcue\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/","og_locale":"en_US","og_type":"article","og_title":"1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-10-12T13:47:43+00:00","og_image":[{"url":"https:\/\/github.blog\/wp-content\/uploads\/2023\/10\/Security-DarkMode-4.png?resize=1200%2C630","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"1-Click RCE On GNOME Via libcue","datePublished":"2023-10-12T13:47:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/"},"wordCount":1511,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/1-click-rce-on-gnome-via-libcue.png","keywords":["headline,linux,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/","url":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/","name":"1-Click RCE On GNOME Via libcue 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/1-click-rce-on-gnome-via-libcue.png","datePublished":"2023-10-12T13:47:43+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/1-click-rce-on-gnome-via-libcue.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/1-click-rce-on-gnome-via-libcue.png","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/1-click-rce-on-gnome-via-libcue\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,linux,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinelinuxflaw\/"},{"@type":"ListItem","position":3,"name":"1-Click RCE On GNOME Via libcue"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54129"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54129\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/54130"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}