Skip to content

v3.1.2

Latest

Choose a tag to compare

@hahwul hahwul released this 27 Jun 10:27

3.1.2

A maintenance release: reflected-XSS false-positive fixes, stricter URL-scheme handling, async server / MCP resource-safety, and documentation accuracy fixes.

Fixed

  • Reject non-http(s) URL schemes outright instead of mangling them into malformed targets.
  • Suppressed a false [R] for javascript: WAF strip-mutations reflected in inert contexts, and a false [V] for on* handlers on <input type="hidden">. Fixes #1183.
  • Resource-safety, REST / MCP parity, and hot-path performance fixes across the async scan front-ends — bounded worker leaks, reclaimed job slots, and aligned server / MCP options. Fixes #1190.

Performance & Reliability

  • Bounded query-discovery memory with a chunked spawn-and-drain, capping live-task memory during parameter mining.

Documentation

  • Clarified that --scan-timeout caps only the injection stage, and corrected the MCP encoder list (#1182), the server flag table (#1175), the Google Frontend WAF confidence value (#1181), and the URI-scheme payload example (#1174).
  • Version-bump tooling now keeps the installation guide's dalfox <version> example in lockstep, fixing the stale sample (#1180).

New Contributors

Full Changelog: v3.1.1...v3.1.2