MonkeHacks #59

I had a really, really busy week again. On Monday, I took the train down to Liverpool to visit some friends who were on a trip there. On Tuesday, I spent the day in Manchester and I visited Old Trafford, the stadium of Manchester United - a team that I’ve been following as a non-serious fan for over 10 years. The weather was really good, so I really enjoyed the trip. I’d like to return there to watch a match sometime this year.

I had a lot more pentest work, but thankfully that’s wrapped up now - but I really had to dig deep to find the energy to complete it. My focus is now on finding bugs for my upcoming trip to Japan on Monday. Next week’s issue - MonkeHacks 60 - is going to be really, really good.

Weekly Ideas / Notes 

• I found a few more cool bugs this week. I hope I can write about them eventually - they were creative ones. I think this type of creativity is one of my strong points.

• I’ve been trying to adjust my sleep schedule a bit for my upcoming trip, but it’s somewhat backfired and now I’ve caught a mild cold. You can’t hack your health! I think it’ll go away by tomorrow.

• I’ve been taking very few rest days for the past couple of weeks. I have no concept of a weekend anymore and usually I work 3-4 hours on my rest days as well. So, while I’m in Japan, I’m going to take some time to recover properly and rest without working on some days. That said, I do intend on bringing my bouldering shoes with me. Exercise is a form of rest too.

• On Sunday evening (tomorrow, at time of writing), I’m flying to Heathrow airport and staying there overnight, and then flying to Tokyo on Monday morning. I’ll write more about that in the next issue. The general plan is to go to Tokyo, then Osaka, Kyoto, Kobe, and finally Sendai before returning home. For now, I need to pack my bags. I got a Travelpro suitcase recently as my old suitcase was cheap and difficult to wheel around. Travelpro make much more robust suitcases, so I want to get a few years out of this one.

• One of my friends here in Scotland loves cameras, and that’s motivated me to take more photos and videos. I’ll try to document the Japan trip properly.

Resources

There was a lot of articles this week!

• React Router and the Remix’ed path: Zhero just is not slowing down. Another crazy bug, in another Javascript framework!

• Client-side RCE via symlink following in Google Web Designer for macOS/Linux: CVE-2025-1079: My good friend Balint landed their first 5-figure bounty with this immense bug - here’s the writeup from their blog. Good work, my friend!

• Hacking the Call Records of Millions of Americans: Brief but impactful bug from Evan Connelly.

• XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748): WatchTowr with another detailed article.

• Loose Types Sink Ships: Pre-Authentication SQL Injection in Halo ITSM: Acquisition hasn’t stopped Assetnote from producing more excellent research.