Only the latest release of PaperSync receives security fixes. Older versions are not backported.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities by email to Maximilian Furch at github@furch-services.de. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (redact any credentials)
- The PaperSync version affected (Docker image tag or commit SHA)
You will receive an acknowledgement within 72 hours. We aim to release a fix within 14 days for critical issues, depending on complexity.
We will credit you in the release notes unless you prefer to remain anonymous.
The following are in scope:
- Authentication bypass or session token vulnerabilities
- Sensitive data exposure (API keys, credentials stored in the database)
- Remote code execution or server-side injection
- Path traversal or arbitrary file read/write
- CSRF vulnerabilities in the web UI
- Dependency vulnerabilities with a known CVE and active exploit
The following are out of scope:
- Vulnerabilities that require physical access to the host
- Issues in dependencies without a known CVE or active exploit
- Self-XSS or attacks that require the attacker to already be authenticated as an admin
- Denial-of-service via API flooding (mitigate with your reverse proxy)
- Security findings from automated scanners without manual validation
PaperSync is designed as a single-tenant, self-hosted application. The assumed deployment is:
- Running inside a private Docker network
- Exposed exclusively through a reverse proxy (Caddy, nginx, Traefik, etc.) with TLS
- Not directly accessible from the public internet on port 8000
Within that model:
- API credentials (Papierkram, Paperless-ngx) are encrypted at rest using Fernet symmetric encryption.
- Web UI sessions use signed, timed tokens (itsdangerous) with a per-session nonce (jti) and server-side revocation on logout.
- Passwords are never stored — only compared at runtime using
hmac.compare_digest. - The container runs as an unprivileged user (UID 1000) after startup.
If you deploy PaperSync outside this model (e.g. exposed directly to the internet without a reverse proxy), additional hardening is your responsibility.