惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
T
Threatpost
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
PCI Perspectives
PCI Perspectives
T
The Exploit Database - CXSecurity.com
Y
Y Combinator Blog
雷峰网
雷峰网
爱范儿
爱范儿
The Hacker News
The Hacker News
Last Week in AI
Last Week in AI
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
S
Securelist
宝玉的分享
宝玉的分享
L
LangChain Blog
O
OpenAI News
AI
AI
P
Privacy International News Feed
L
LINUX DO - 最新话题
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
M
MIT News - Artificial intelligence
Security Archives - TechRepublic
Security Archives - TechRepublic
月光博客
月光博客
博客园 - 【当耐特】
T
Tailwind CSS Blog
C
Cybersecurity and Infrastructure Security Agency CISA
H
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园_首页
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
Jina AI
Jina AI
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
Webroot Blog
Webroot Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Blog — PlanetScale
Blog — PlanetScale
MyScale Blog
MyScale Blog
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog

Ars Technica - All content

Pentagon wants $54B for drones, more than most nations’ military budgets Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150 Supreme Court arguments make it clear that FCC fines are "nonbinding" Silo S3 teaser hints at the wasteland's origins Framework's CEO on the RAM crisis and creating a "MacBook Pro for Linux users" Florida probes ChatGPT role in mass shooting. OpenAI says bot "not responsible." Report: Meta will train AI agents by tracking employees' mouse, keyboard use Microsoft removes Call of Duty from Game Pass, lowers subscription pricing Framework Laptop 13 Pro is a major overhaul for the modular, upgradeable laptop Framework Laptop 16 upgrades make it look less like an unfinished prototype Internal emails show how Amazon raises prices across the Internet, lawsuit says Anthropic gets $5B investment from Amazon, will use it to buy Amazon chips CATL's new LFP battery can charge from 10 to 98% in less than 7 minutes AMD Ryzen 9 9950X3D2 Dual Edition review: Tons of cache for tons of dollars What's the deal with spacesuits for the Moon? Will they be ready in time? Loneliness in older adults can often lead to memory impairment Contrary to popular superstition, AES 128 is just fine in a post-quantum world Pentagon pulls the plug on one of the military's most troubled space programs John Ternus will replace Tim Cook as Apple CEO Blue Origin's rocket reuse achievement marred by upper stage failure I’ve fired one of America’s most powerful lasers—here’s what a shot day looks like Great white sharks are overheating US-sanctioned currency exchange says $15 million heist done by "unfriendly states" Man with @ihackedthegovernment Instagram account tells judge, “I made a mistake" Trump picks qualified, normal health leader to head CDC; experts still cautious $25,000 buys plenty of used EVs: Here are some options Satellite and drone images reveal big delays in US data center construction Amazon won’t release Fire Sticks that support sideloading anymore Ridley Scott's post-apocalyptic The Dog Stars drops first trailer Artemis II pilot talks about what it was really like to fly and land in Orion Meta's AI spending spree is helping make its Quest headsets more expensive Rocket Report: Starship V3 test-fired; ESA's tentative step toward crew launch Recent advances push Big Tech closer to the Q-Day danger zone After a saga of broken promises, a European rover finally has a ride to Mars Lucasfilm drops The Mandalorian and Grogu final trailer at CinemaCon Intel refreshes non-Ultra Core CPUs with new silicon for the first time OpenAI starts offering a biology-tuned LLM As they got close to the Moon, Artemis II astronauts were eager to land Mozilla launches Thunderbolt AI client with focus on self-hosted infrastructure Ad firms settle with Trump FTC over claims they boycotted conservative media New Codex features include the ability to use your computer in the background The Ukraine war's deep impact on Metro 2039’s development, story New undersea cable cutter risks Internet’s backbone Microsoft and Stellantis want to use AI to help car owners Gemini can now create personalized AI images by digging around in Google Photos RFK Jr. forces FDA to reconsider 12 unproven peptides after 2023 ban First look: Also's upcoming e-bike disconnects the pedals and wheels Meet the Quantum Kid The race to Shackleton Crater is on—will Jeff Bezos or China get there first? Florida surgeon charged with killing man after removing liver instead of spleen Jury finds Live Nation/Ticketmaster is illegal monopoly that overcharged fans "TotalRecall Reloaded" tool finds a side entrance to Windows 11's Recall database Google releases new apps for Windows and MacOS Boston Dynamics’ robot dog now reads gauges and thermometers with Google's AI Prime Video shows “technical difficulties” sign instead of NBA game in overtime New teaser gives us first look at Godzilla Minus Zero Vulcan woes will "absolutely" be a factor in Pentagon's next rocket competition Adobe takes Creative Cloud into Claude Code-esque territory Good Omens S3 trailer sets up a blessed conclusion Bubble watch: Fashion brand Allbirds pivots hard to become AI services company New 3D map of Universe could solve dark energy mystery What’s the deal with Alzheimer’s disease and amyloid? Blue Origin has a new employee stock plan, but not everyone is happy It's Tax Day, and no one knows how to file for prediction market winnings Ukraine’s military robot surge aims to offset drone risks to humans Sony killing features for antenna, set-top box users of Bravia smart TVs in May Americans ask AI for health care. Hospitals think the answer is more chatbots. NASA chose the right crew to launch a new era of human space exploration Google will begin punishing sites for back button hijacking in June Retro Rewind re-creates the glorious drudgery of working a '90s video store Google shoehorned Rust into Pixel 10 modem to make legacy code safer NZXT agrees to let customers keep their rental PCs in class-action settlement Your tech support company runs scams. Stop—or disguise with more fraud? Sunrise on the Reaping teaser brings us a Second Quarter Quell IBM folds to Trump anti-DEI push, admits no misconduct but pays $17M penalty Slate Auto raises $650 million as production gets closer and closer Meta spins up AI version of Mark Zuckerberg to engage with employees To teach in the time of ChatGPT is to know pain Shock from Iran war has Trump's vision for US energy dominance flailing The Artemis II mission has ended. Where does NASA go from here? AI models are terrible at betting on soccer—especially xAI Grok Four astronauts are back home after a daring ride around the Moon Californians sue over AI tool that records doctor visits New paper argues history, not mantle plume, powers Yellowstone F1 moves a step closer to fixing its 2026 hybrid problem Report: US demands Reddit unmask ICE critic, summons firm to grand jury Microsoft's "commitment to Windows quality" starts with overhaul of beta program "Oobleck" still holds some surprises YouTube increases Premium price again, says 90-second unskippable ads are a bug Oldest octopus fossil found to not be an octopus What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI Here's what to expect from the fiery, 14-minute return of Artemis II Pro-Iran Explosive Media trolls Trump with AI-generated Lego cartoons Dad stuck in support nightmare after teen lied about age on Discord Rocket Report: Chinese version of Falcon 9 fails; Artemis depends on rapid heavy lift Orion helium leak no threat to Artemis II reentry but will require redesign RFK Jr. rewrites CDC panel's charter, opening door to anti-vaccine quacks AI on the couch: Anthropic gives Claude 20 hours of psychiatry Clinical trial shows gene editing works for β-Thalassaemia, too “Negative” views of Broadcom driving thousands of VMware migrations, rival says
Millions of AI agents imperiled by critical vulnerability in open source package
Dan Goodin · 2026-05-27 · via Ars Technica - All content

Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning.

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others.

Trivial to exploit, millions of servers exposed

ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach.

The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Besides FastAPI, other widely used packages—including vLLM, and LiteLLM—are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday.

“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest wrote. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.”

BadHost carries a severity rating of 7 out of 10. Secwest said the classification “materially understates” the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having “critical severity.” X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable.