Peter Stöckli

@[email protected]
289 Followers
378 Following
292 Posts
Security Researcher and Software Engineer @GitHubSecurityLab
GitHubhttps://github.com/p-
Peter StöckliJan 21
Check out how my colleague Man Yue Mo and I used LLMs to triage CodeQL results. The GitHub Security Lab Taskflow Agent and the prompts we used are open source and ready to be used!
https://github.blog/security/ai-supported-vulnerability-triage-with-the-github-security-lab-taskflow-agent/
Peter StöckliMay 15, 2025
New Book
(gegen Windmühlen kämpfen 😉)
Peter StöckliMar 13, 2025
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/
GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7

Learn more about GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

GitLab
Peter StöckliJul 10, 2024
I ran `lscpu` on one of the newly GA'd AWS Graviton4 instances (r8g.medium). These are based on Neoverse-V2 (ARMv9). Sadly they don't seem to support Arm's memory tagging extension (MTE).
Show threadPeter StöckliJun 20, 2024
These proof of concept exploits are largely based on the great and universal gadget chain published by @vakzz in 2022:
https://devcraft.io/2022/04/04/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
Round Two: An Updated Universal Deserialisation Gadget for Ruby 2.x-3.x

A few months ago I noticed the gadget in my previous article had been patched and no longer worked in Ruby 3.0.3, so I spent a bit of time dusting off the old tools to see if I could find another one.

devcraft.io
Peter StöckliJul 31, 2023

Where I'll demonstrate some typical Ruby on Rails gotchas on a real project:
https://github.blog/2023-07-28-closing-vulnerabilities-in-decidim-a-ruby-based-citizen-participation-platform/

A.) Why you shouldn't feed user-submitted content to link_to (CVE-2023-32693).
B.) Why you shouldn't match strings with ^and $ when using Regex
C.) ??? (CVE-2023-34090)

Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform - The GitHub Blog

This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023.

The GitHub Blog