PatchLeaks

Zero-Day to Zero Doubt: CVE -> Patch -> PoC

Folder Analysis Product Analysis
Vulnerability Detection

Automatically detect and analyze security vulnerabilities in code changes

AI-Powered Analysis

Leverage cutting-edge AI models to identify complex security issues

Version Tracking

Track patch changes across multiple software versions effortlessly

Watch Security Patch in Action

Vulnerable Code
Patched Code
CVE-2024-47048 Detected
CVE-2024-47048
XSS via dangerouslySetInnerHTML
Security Fix
DOMPurify import added
Security Fix
Purify options imported
Security Fix
Content sanitization applied
Vulnerable Secured

CVE-2024-47048

Rocket.Chat 6.12.0 and earlier allows stored XSS in the description and release notes of the marketplace and private apps.

Security Patch

Added DOMPurify sanitization to prevent XSS attacks

Impact Analysis

XSS vulnerability completely mitigated with DOMPurify

Folder Analysis

Compare security patches between local directories with precision

--- magento2-2.4.6-p8/Download.php
+++ magento2-2.4.6-p9/Download.php
@@ -81,13 +81,11 @@
         return $resultRedirect;
     }

-    // phpcs:ignore Magento2.Functions.DiscouragedFunction
-    $fileName = basename($fileName);
-
-    $exportDirectory = $this->filesystem->getDirectoryRead(...);
+    $exportDirectory = $this->filesystem->getDirectoryWrite(...);
     try {
-        $fileExist = $exportDirectory->isExist('export/' . $fileName);
+        $fileName = $exportDirectory->getDriver()->getRealPathSafety(...);
+        $fileExist = $exportDirectory->isExist('export' . $fileName);
     } catch (Throwable $e) {
         $fileExist = false;
     }
Identified CVE-2025-24406: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.

Folder Analysis

Comparing versions: Magento 2.4.6-p8 → 2.4.6-p9
Analyze Folder Versions
Analyzes security patches between local directory versions

Product Analysis

Track and analyze security patches across GitHub repositories

@app.route('/manage-products', methods=['POST'])
def add_product():
    product_name = request.form['product_name']
    repo_url = request.form['repo_url']
    
    products = load_products()
    products[product_name] = {
        'repo': repo_url,
        'versions': fetch_github_tags(repo_url)
    }
    save_products(products)
    return redirect('/products')
Automatically caches GitHub tags for future analysis

Product Management

Currently managing 4 products
Analyze Saved Products

AI Analysis

Advanced AI-powered code vulnerability detection

AI Analysis Configuration

Current model: qwen2.5-coder:3b (Ollama)
AI Settings
Higher temperature increases creativity, lower increases focus 
def load_ai_config():
    return {
        'service': 'ollama',
        'ollama': {
            'url': 'http://localhost:11434',
            'model': 'qwen2.5-coder:3b'
        },
        'parameters': {
            'temperature': 1.0,
            'num_ctx': 8192
        }
    }
Configuration supports multiple AI providers

Analysis Reports

Comprehensive security vulnerability reports

Saved Analysis Report

CVE-2025-24406 Patched in 2.4.6-p9
Magento Analysis ID: b8f7be59-c281-4301-8e60-bb86a3367eb4
Show Saved Report 
{
  "analysis_id": "b8f7be59-c281-4301-8e60-bb86a3367eb4",
  "timestamp": "2025-04-18T10:57:01Z",
  "parameters": {
    "product": "Magento",
    "old_version": "2.4.6-p8",
    "new_version": "2.4.6-p9"
  },
  "findings": [
    {
      "file": "Download.php",
      "cve": "CVE-2025-24406",
      "severity": "Critical",
      "patch": "Added path safety checks",
      "status": "Resolved"
    }
  ]
}
Full report includes AI analysis and CVE details