Vulnerability-Research on harpi - Security Researcher

Shaking the Mesh: Four Memory Corruption Bugs in VTK's GLTF Loader

Thu, 30 Oct 2025 00:00:00 +0000

“The future is already here — it’s just not evenly distributed.” — William Gibson

How I Got Here

In mid-2025 I scoped out an engagement for Radically Open Security targeting F3D — a fast, minimalist 3D viewer that supports dozens of file formats — and its library counterpart, libf3d. The proposal focused on three attack surfaces:

Code audit and pentesting of f3d and libf3d.

Our primary target is the libf3d since its API is used by third-party projects and security issues are more critical.

The Binary Switcheroo: Turning a KDE File Manager Into a Local Privilege Escalation

Thu, 15 May 2025 00:00:00 +0000

“When you want to know how things really work, study them when they’re coming apart.” — William Gibson

How I Got Here

In late 2024 I scoped out an engagement for Radically Open Security targeting kio-admin — the KDE component that gives Dolphin (KDE’s file manager) the ability to perform file operations as root. The proposal was straightforward:

Code audit and pentesting of Dolphin authorisation mechanisms as they are provided by kio-admin and kio framework.

Django Allauth: Account Takeover via Provider Identifier Mutability

Wed, 25 Dec 2024 00:00:00 +0000

“There’s always a side door.”

Overview

I discovered an account takeover vulnerability in django-allauth, one of the most widely-used authentication libraries for Django. The vulnerability allows an attacker to impersonate arbitrary users by exploiting how certain OAuth providers’ identifiers are resolved.

Vulnerability Details

CVE: CVE-2025-65431 Type: Improper Authentication / Account Takeover (CWE-287) Impact: Account Impersonation Affected Versions: django-allauth < 65.13.0

The Bug

Both the Okta and NetIQ providers were using preferred_username as the identifier for third-party provider accounts. This value is mutable — users can change their preferred_username on the identity provider side.