Two of our Codean Labs colleagues evaluated OpenPGP.js and identified a signature spoofing vulnerability. Writeup includes a PoC where we demonstrate the vulnerability by spoofing a message by the Dutch government's Cyber Security Center!.

It's been four years already! Here’s to four more years of making the world more secure!.

At Codean Labs, our mission is to make the world more secure — and what better way than to secure fundamental open source projects?. We identified CVE-2025-47934, a critical vulnerability in OpenPGP.js to spoof signatures, see

RT @Doyensec: 🚨 Advisory Alert!🚨 We've just published our @drw0if's advisory regarding a heap overflow in @HAProxy as part of our coordinat….

Codean Labs' @b0n0b0__ and @Doyensec's @drw0if discovered CVE-2025-32464, a heap-buffer overflow in HAProxy. Read our write-up here:

We discovered CVE-2024-12425 & CVE-2024-12426 which allow attackers to write files & extract sensitive data. Check our blog post for the impact & how to protect yourself.

We spent a lot of effort on improving the security of Ghostscript and this is our third and final blog post about everything we found. Enjoy the read!.

We just reached over 1,000 commits on Codean 🎉. Just a few thousand more and I am sure Codean will be done by then 😉

We are finally catching up on some basic capabilities everyone expects, but are still darn hard to get right!. Finally, landed on SCIP and SCIP indexers to have code intelligence that also enables us to create unique and cool features in the future. Stay tuned for more!

Another day another high impact #CVE-2024-29511 on #Ghostscript ≤ 10.02.1. it leads to an arbitrary file read/write (under certain conditions) outside of the -dSAFER sandbox. You can find all details about this #vulnerability on our blogpost.

We found #CVE-2024-29510, a format string vulnerability in Ghostscript ≤ 10.03.0. It enables attackers to gain Remote Code Execution (#RCE) while also bypassing all sandbox protections. It has significant impact so please update Ghostscript!.

A public service announcement about #CVE-2024-4367 that we found in one of our pentests at Codean Labs. Make sure to update your #Firefox version to 126 and for #developers to update your PDF.js dependency. You can read our blog post for all details.

We found a vulnerability in Mozilla’s PDF.js (CVE-2024-4367 and CVE-2024-34342 via react-pdf) resulting in arbitrary JavaScript execution when opening a malicious PDF. This results in XSS on many web- and even desktop apps. Blog post coming soon!.

Our Capture The Flag events are designed around the accessibility to the source code of all vulnerable targets. What's even more fun is that the whole CTF is played from within Codean!. I guess we should host another public CTF sometime soon™!.

We are looking for design partners!. "Yeah, yeah, yeah. just another sales tactic." Well yes, you are not wrong, we obviously do need to make money. That said, we believe we can create a win, win, win!. Sounds interesting? Let us know! .

Did you know that we publicly discuss features and the architecture of Codean?! Join our Discord at and let us know what you want from a tool like Codean!

#pentesting projects we do via Codean Labs relied on an older version of Codean. Today we onboarded a pentest project on the NEW platform at 🎉. We did find some bugs that we fixed and identified the need for more features. Plenty of work for all of us!

𝗪𝗲 𝗵𝗮𝗱 𝗳𝘂𝗻 𝗱𝘂𝗿𝗶𝗻𝗴 #𝗱𝗲𝘃𝗲𝗹𝗼𝗽𝗺𝗲𝗻𝘁. There should be a nice way to look at the code that a Codemark points to. To achieve this, we show you a full blown editor with all the bells and whistles, including Codemarks. No worries, its now fixed 😉

While many parts of Codean are already #designed and "tested" for #userexperience, implementing much is still tbd!. Two parts were really hampering even trying Codean: member management and repository synchronization. Both of these have been just implemented and rolled out!

Here's a write-up of another vulnerability we found, caused by a lack of input validation. This time it's CVE-2023-38504, a DoS in Sails.js, an MVC framework for Node. Enjoy!.