Skip to content

v2.4.2

Choose a tag to compare

View all tags
@avi12 avi12 released this 11 Jun 14:07
· 7 commits to main since this release
v2.4.2
7ba9956

Highlights

  • FFmpeg hardening — response to the June 2026 disclosure of 21 FFmpeg vulnerabilities (CVE-2026-39210…39218 and friends). Every FFmpeg input now pins its container format explicitly instead of letting FFmpeg auto-probe, so downloaded bytes can never be routed into demuxers the extension never feeds intentionally (MPEG-TS, AVI, CAF — the file-parsing components affected by the disclosure). The network-facing vulnerabilities (RTSP/RTP/RTMP/DASH, including the headline AV1-RTP RCE) were never reachable: the extension only ever passes in-memory files to FFmpeg, never URLs, and everything runs inside the browser's WASM sandbox. No patched FFmpeg core exists upstream yet; this closes the realistic attack path in the meantime.
  • Leaner dependencies — dropped the unused legacy @ffmpeg/core-st package.

Full changelog: v2.4.1...v2.4.2

Assets 4
Loading