FableCut is distributed from the main branch. Security fixes are applied to the
latest release only.
| Version | Supported |
|---|---|
1.x (latest main) |
✅ |
| < 1.0 | ❌ |
Please do not open a public issue for security vulnerabilities.
Report privately through GitHub's private vulnerability reporting (Security → Advisories → Report a vulnerability), or contact the maintainer @ronak-create directly.
Please include:
- A description of the issue and its impact
- Steps to reproduce (a minimal
project.jsonor request is ideal) - The affected file/endpoint and your environment (OS, Node version)
You can expect an initial acknowledgement within a few days. Once a fix is released, we're happy to credit you unless you prefer to remain anonymous.
FableCut is designed to run locally — node server.js binds an unauthenticated
HTTP server on localhost:7777 intended for a single trusted user on their own
machine. It is not hardened for exposure to untrusted networks or multi-tenant
use. Relevant considerations if you deploy it beyond localhost:
- The REST API (
/api/*) has no authentication — anyone who can reach the port can read and overwriteproject.jsonand upload files intomedia/. - The server reads and writes files under the project directory and shells out to
ffmpegfor export/remux. - Do not expose the port publicly. If you must, put it behind your own authentication and network controls.
Reports about behavior that only occurs when the server is intentionally exposed to untrusted networks are still welcome, but are lower priority than issues exploitable in the intended local, single-user setup.