Skip to content

Security: ronak-create/FableCut

Security

SECURITY.md

Security Policy

Supported versions

FableCut is distributed from the main branch. Security fixes are applied to the latest release only.

Version Supported
1.x (latest main)
< 1.0

Reporting a vulnerability

Please do not open a public issue for security vulnerabilities.

Report privately through GitHub's private vulnerability reporting (Security → Advisories → Report a vulnerability), or contact the maintainer @ronak-create directly.

Please include:

  • A description of the issue and its impact
  • Steps to reproduce (a minimal project.json or request is ideal)
  • The affected file/endpoint and your environment (OS, Node version)

You can expect an initial acknowledgement within a few days. Once a fix is released, we're happy to credit you unless you prefer to remain anonymous.

Scope & threat model

FableCut is designed to run locallynode server.js binds an unauthenticated HTTP server on localhost:7777 intended for a single trusted user on their own machine. It is not hardened for exposure to untrusted networks or multi-tenant use. Relevant considerations if you deploy it beyond localhost:

  • The REST API (/api/*) has no authentication — anyone who can reach the port can read and overwrite project.json and upload files into media/.
  • The server reads and writes files under the project directory and shells out to ffmpeg for export/remux.
  • Do not expose the port publicly. If you must, put it behind your own authentication and network controls.

Reports about behavior that only occurs when the server is intentionally exposed to untrusted networks are still welcome, but are lower priority than issues exploitable in the intended local, single-user setup.

There aren't any published security advisories