1.0.115
Security: fixes GHSA-45gf-fjxp-cjpq — Server-Side Request Forgery (SSRF, High) in upload_ad_image. A caller-supplied image_url was fetched server-side without host/IP validation, allowing requests to loopback, private-network, and cloud-metadata addresses. Upgrade strongly recommended for anyone running the streamable-http transport.
What changed
- Restrict server-side image fetches to
http/httpsURLs that resolve to public addresses; block private, loopback, link-local, reserved, multicast, and cloud-metadata targets (IPv4-mapped IPv6 unwrapped). - Re-validate every redirect hop so a public URL cannot redirect into an internal address.
See SECURITY.md for affected versions and operator actions.