30 proof-of-concept exploits for undisclosed vulnerabilities across 7-Zip, Ghidra, Firefox, Docker, and 20 other tools hit GitHub yesterday, none of them previously reported to the affected vendors. The anonymous account 'bikini' created the repo 'exploitarium' and pushed 30 commits in a single day, each folder containing a fully functional PoC and, in many cases, a full write-up.
A Catalog of Unpatched Flaws
The repo covers a wide swath of software you probably have running somewhere. Highlights include a 7-Zip RAR5 Mark-of-the-Web chain (7zip-rar5-motw-chain-poc), a remote code execution in Ghidra 12.1.2 (ghidra-12.1.2-rce-ace-calc-poc), a Firefox SmartWindow private-window URL exfiltration (firefox-smartwindow-private-url-exfil-poc), a Docker cp destination escape (docker-cp-copyout-destination-escape), and an OpenVPN Connect ACE via echoed script input (openvpn-connect-echo-script-ace-poc). I count PoCs for FFmpeg, c-ares, nghttp2, nmap, libssh2, RustDesk, VLC, SystemInformer, and more.
Each folder holds the original standalone repo's contents, verified via Git tree hashes against 12 former standalone repos containing 96 tracked entries - zero mismatches. The author explicitly states these have not been reported to any CVE authority. The README reads: "Feel free to report them yourself and take credit for the CVE if handed out lulz."
Why This Matters
This isn't a proof-of-concept collection pulled from public disclosures. Every single one of these is a 0-day as of the repo creation timestamp. The author is deliberately skipping responsible disclosure and dumping exploit code directly to the public. Some of these target widely deployed libraries and tools: c-ares (used by curl, Node.js, and others), libssh2, nghttp2, and SystemInformer (formerly Process Hacker). A UAF in c-ares (c-ares-tcp-uaf-calc-poc) alone could have cascading impact across cloud infrastructure.
The repo already has 572 stars and 146 forks. The consolidation check assures readers that the PoCs are genuine reproductions of the original standalone repos. If you maintain any of these packages, you are now in a race against anyone who clones the repo and turns these PoCs into weaponized exploits.
What Security Teams Should Do Now
First, inventory your stack against the list of targeted software: 7-Zip, AnyDesk, c-ares, Docker, FFmpeg, Firefox, Floci API Gateway, Flowise, Ghidra, Gitea, ImageMagick, libssh2, Lunar Modrinth, MyBB, nghttp2, Nmap, objdump, OpenVPN Connect, PHP, RustDesk, SystemInformer, and VLC. For each, check if the affected version matches what you run. Since no CVEs have been issued yet, you'll need to rely on the PoC descriptions to understand the attack surface.
Second, should you decide to remove the PoCs from your network, remember that this repo will continue to propagate. The author updates with "new drops today ;) Biggest thing yet." Expect more to come.
Third, if you are a maintainer of any of these projects, the clock starts now. The exploit code is available in full, well-documented, and already forked. The next time your vulnerability scanner runs, some of these exploits may already be in the wild.
Source: Anonymous GitHub account mass-dropping undisclosed 0-days
Domain: github.com
Comments load interactively on the live page.