Skip to content

1.0.109

Choose a tag to compare

View all tags
@nictuku nictuku released this 20 May 20:14
· 15 commits to main since this release
1.0.109
14d7371
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security: fixes GHSA-9gw6-46qc-99vr (operator token exposure on streamable-HTTP transport). Upgrade strongly recommended for any self-hosted deployment running --transport streamable-http on a network-reachable port.

Changes

  • HTTP middleware now returns 401 + WWW-Authenticate: Bearer when no Authorization: Bearer or X-PIPEBOARD-API-TOKEN header is present, instead of falling through to tool handlers using the META_ACCESS_TOKEN env var as an implicit fallback.
  • Graph API error payloads now redact access_token and appsecret_proof from the url and request_url fields.
  • Adds SECURITY.md with reporting policy and the advisory entry.

Operator action

  • Upgrade to 1.0.109.
  • If you previously exposed an earlier version to an untrusted network, rotate the Meta access token and review Graph API access logs.
  • HTTP clients must send Authorization: Bearer <meta-access-token> on every request; the env-var fallback no longer applies to HTTP transport.
Assets 2
Loading