Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Apache Tomcat recently disclosed a critical security vulnerability, CVE-2025-24813, affecting several versions of its widely used servlet container. This vulnerability arises from improper handling of path equivalence checks involving filenames with internal dots (file…txt). Exploitation could result in unauthorized information disclosure, file manipulation, and even remote code execution (RCE).

Snyk is exploring using the open-source Golang project Bento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.

Snyk is committed to our partnership with ServiceNow, and together, we're revolutionizing how organizations manage Application vulnerabilities and risk. Snyk's market-leading developer security platform and ServiceNow's robust Security Operations (SecOps) capabilities offer a powerful solution for Application Security teams and Enterprise CISOs.

When developing a JavaScript package with npm, direct dependencies are defined within the dependencies section of the package.json file. Developers manage these dependencies' versions using semver-compliant version specifications. This allows for precise control, from specifying exact versions to defining ranges that permit the package manager to select compatible versions.

Security is often seen as a roadblock in development, slowing releases and adding friction between teams. However, as software development cycles become faster and more complex, security must evolve from a blocker to an innovation driver. DevSecOps ensures security is a core part of the development workflow, and automation plays a crucial role in making this integration smooth and effective.

AI code generation is exactly what it sounds like — using artificial intelligence to write and improve code. Tools powered by large language models (LLMs) and specialized AI systems can help developers generate boilerplate code, fix bugs, and even refactor entire sections of an application. And developers are leaning in. According to a GitHub survey, 92% of developers have already used AI coding tools at work or on personal projects.

Within the cybersecurity landscape, zero-day vulnerabilities have become a significant threat to companies, especially bigger enterprises. It is a form of cyberattack in which a security flaw that is undiscovered by the organization is exploited by attackers. Zero-day threats pose a serious challenge to enterprises as it becomes difficult to detect and mitigate an attack which is unknown.

In the days leading up to the publication of the Apache Camel Message Header Injection via Improper Filtering, now known as CVE-2025-27636, alarmist noise emerged from the wider cyber community, with Kevin Beaumont describing it as an “end of the world zero day” in Apache Camel, along with explicit details on how elements of this vulnerability worked.