Skip to content

v1.11.5

Latest

Choose a tag to compare

@n4ze3m n4ze3m released this 29 Jun 07:10

Security

Fixes an unauthenticated path traversal in the GET /api/v1/view/* route. The route resolved attacker-controlled input without containment, allowing reads outside the intended assets directory. Requests are now confined to the uploads directory and anything resolving outside it returns 404. (#317)

Action required after upgrading: rotate DB_SECRET_KEY in your deployment — the previous value should be treated as potentially exposed. Note this invalidates existing sessions.

Other

  • Build the Docker image on Node 20 (fast-jwt now requires node >=20; Node 18 is also EOL).

Docker

docker pull n4z3m/dialoqbase:v1.11.5

Full Changelog: v1.11.4...v1.11.5