This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Light signalv1.3.11 patches an open redirect vulnerability via backslash normalization in SafeRedirectURL and introduces ACKIFY_ALLOWED_REDIRECT_HOSTS for external redirect allowlisting. Apply immediately if ackify handles user-provided redirects.
Why it matters: Open redirects enable phishing attacks. Deploy v1.3.11 immediately to all ackify deployments processing user-provided redirect URLs.
Summary
AI summaryFixes open redirect vulnerability via backslash normalization and adds external redirect allowlist.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Open redirect fixed via backslash URL normalization in `SafeRedirectURL`. Open redirect fixed via backslash URL normalization in `SafeRedirectURL`. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Login prompt banner and adaptive "Sign in" button added for unauthenticated document links. Login prompt banner and adaptive "Sign in" button added for unauthenticated document links. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
External redirect allowlist introduced with `ACKIFY_ALLOWED_REDIRECT_HOSTS` environment variable. External redirect allowlist introduced with `ACKIFY_ALLOWED_REDIRECT_HOSTS` environment variable. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Reminder auth links now functional regardless of MagicLink feature flag status. Reminder auth links now functional regardless of MagicLink feature flag status. Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
Security
Fix open redirect via backslash URL normalization
Browsers normalize \ to / in Location headers, allowing a URL like /\evil.com to be interpreted as //evil.com (protocol-relative) and redirect to an external domain, bypassing the host-only check. Redirect validation is now handled by SafeRedirectURL, which explicitly rejects backslash paths and protocol-relative URLs.
New: external redirect allowlist (ACKIFY_ALLOWED_REDIRECT_HOSTS)
Optional comma-separated list of hostnames (with optional port) accepted as post-auth redirect targets. Absolute URLs pointing to unlisted hosts fall back to /. Defaults to empty (same-origin only), preserving existing behaviour.
Features
Better UX for unauthenticated visitors on shared document links
Shared /?doc=<id> links gave no clear indication that login was required. The "Confirm reading" button silently triggered an OAuth redirect on click, which was non-obvious and failed entirely when MagicLink was the only enabled method.
- Login prompt banner with a "Sign in" CTA shown when a document is loaded without an active session.
SignButtonnow redirects to/auth(chooser page) instead of forcing OAuth, so all enabled auth methods are offered.- Button label adapts to "Sign in to confirm" while the user is logged out.
- New
sign.loginPrompt.*i18n keys added (en / fr / de / es / it).
Bug Fixes
Reminder auth links work regardless of MagicLink feature flag
Reminder tokens (issued by admins when sending signature reminders) were gated on IsMagicLinkEnabled(), causing a 503 "Magic Link not enabled" error on click in OAuth-only setups. The reminder token system is conceptually independent from the user-facing MagicLink feature (different purpose, route, lifetime, and trigger) — the gate is removed.
Security Fixes
- Fix open redirect via backslash URL normalization; `SafeRedirectURL` now rejects paths containing `\` and protocol‑relative URLs.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]