// wall of bugs caught
10 critical bugs
PullLight would have caught in your PRs.
Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →
13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
critical
# injection
Java
CVE-2024-23897
CLI Argument Injection via args4j expandAtFiles()
Jenkins's CLI parser calls args4j's expandAtFiles() on user-supplied arguments before authentication — attacker reads arbitrary server-side files by injecting @/path/to/file as a CLI arg.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable) // args4j processes @file references before auth check CmdLineParser parser = new CmdLineParser(cmd); parser.parseArgument(args); // reads files as attacker!
After (fixed)
// AFTER (fixed) // Disable expandAtFiles() so @ references are literal strings CmdLineParser parser = new CmdLineParser(cmd); parser.getProperties().withAtSyntax(false); parser.parseArgument(args);
critical
# deserialization
Java
CVE-2025-24813
RCE via Partial PUT Path Equivalence in Tomcat
Apache Tomcat's DefaultServlet stores partial PUT uploads to a temp file whose path is derived from the request URI — attacker uploads a malicious serialized Java object to a predictable temp path, then triggers deserialization.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable) // Temp path derived directly from URL segment String tempPath = getTempDir() + req.getRequestURI(); storeTempFile(tempPath, req.getInputStream());
After (fixed)
// AFTER (fixed) // Use opaque random temp filename; disallow PUT to .session paths String tempPath = getTempDir() + UUID.randomUUID(); storeTempFile(tempPath, req.getInputStream());