7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
Cisco Talos' Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to _Cisco 's third-party vulnerability disclosure policy_.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from _Snort.org_, and our latest Vulnerability Advisories are always posted on _Talos Intelligence 's website_.
## **Fade In out-of-bounds write vulnerabilities**
_Discovered by Piotr Bania of Cisco Talos._
Fade In is a cross-platform text handling software for screenwriters.
_TALOS-2025-2250_ (CVE-2025-53855) is an out-of-bounds write vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write.
_TALOS-2025-2252_ (CVE-2025-53814) is a use-after-free vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption.
## **TruffleHog arbitrary code execution vulnerability**
_Discovered by Adam Reiser of Cisco ASIG._
TruffleHog is a detection system for code repositories and ticket systems that finds exposed sensitive information, such as API keys and passwords. This vulnerability is described in an _accompanying article_ on the Truffle Security website. The vuln is an arbitrary code execution vulnerability in the Git functionality of TruffleHog 3.90.2, _TALOS-2025-2243_ (CVE-2025-41390). A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious repository to trigger this vulnerability.
## **Dell BSAFE integer overflow, underflow, and stack overflow vulnerabilities**
_Discovered by Jason Crowder._
Dell BSAFE Crypto-C is FIPS-140 validated cryptography development kit for C/C++ environments. In cooperation with Jason Crowder, Talos published three vulnerabilities in the Dell BSAFE Crypto-C module. This product is at end of service; the vulnerable versions were added to an existing CVE.
_TALOS-2025-2140_ (CVE-2019-3728) is an integer overflow vulnerability, and _TALOS-2025-2141_ (CVE-2019-3728) is an integer underflow vulnerability. In both cases, a specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.
_TALOS-2025-2142_ (CVE-2019-3728) is a stack overflow vulnerability. A specially crafted ASN.1 record can lead to denial of service.
Cisco Talos' Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to _Cisco 's third-party vulnerability disclosure policy_.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from _Snort.org_, and our latest Vulnerability Advisories are always posted on _Talos Intelligence 's website_.
## **Fade In out-of-bounds write vulnerabilities**
_Discovered by Piotr Bania of Cisco Talos._
Fade In is a cross-platform text handling software for screenwriters.
_TALOS-2025-2250_ (CVE-2025-53855) is an out-of-bounds write vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write.
_TALOS-2025-2252_ (CVE-2025-53814) is a use-after-free vulnerability in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .xml file can lead to heap-based memory corruption.
## **TruffleHog arbitrary code execution vulnerability**
_Discovered by Adam Reiser of Cisco ASIG._
TruffleHog is a detection system for code repositories and ticket systems that finds exposed sensitive information, such as API keys and passwords. This vulnerability is described in an _accompanying article_ on the Truffle Security website. The vuln is an arbitrary code execution vulnerability in the Git functionality of TruffleHog 3.90.2, _TALOS-2025-2243_ (CVE-2025-41390). A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious repository to trigger this vulnerability.
## **Dell BSAFE integer overflow, underflow, and stack overflow vulnerabilities**
_Discovered by Jason Crowder._
Dell BSAFE Crypto-C is FIPS-140 validated cryptography development kit for C/C++ environments. In cooperation with Jason Crowder, Talos published three vulnerabilities in the Dell BSAFE Crypto-C module. This product is at end of service; the vulnerable versions were added to an existing CVE.
_TALOS-2025-2140_ (CVE-2019-3728) is an integer overflow vulnerability, and _TALOS-2025-2141_ (CVE-2019-3728) is an integer underflow vulnerability. In both cases, a specially crafted ASN.1 record can lead to an out-of-bounds read. An attacker can provide a malformed ASN.1 record to trigger this vulnerability.
_TALOS-2025-2142_ (CVE-2019-3728) is a stack overflow vulnerability. A specially crafted ASN.1 record can lead to denial of service.
Basic Information
ID
TALOSBLOG:031A02B360D9C25F9DB34CF3EBE68026
Published
Nov 4, 2025 at 14:26