Skip to content

1.0.115

Choose a tag to compare

@nictuku nictuku released this 05 Jun 18:57
7d99263

Security: fixes GHSA-45gf-fjxp-cjpq — Server-Side Request Forgery (SSRF, High) in upload_ad_image. A caller-supplied image_url was fetched server-side without host/IP validation, allowing requests to loopback, private-network, and cloud-metadata addresses. Upgrade strongly recommended for anyone running the streamable-http transport.

What changed

  • Restrict server-side image fetches to http/https URLs that resolve to public addresses; block private, loopback, link-local, reserved, multicast, and cloud-metadata targets (IPv4-mapped IPv6 unwrapped).
  • Re-validate every redirect hop so a public URL cannot redirect into an internal address.

See SECURITY.md for affected versions and operator actions.