ntfy

v2.23.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 17d Alerting & Incidents

✓ No known CVEs patched

This release patches 1 known CVE

Topics

curl notifications ntfy ntfysh messaging push-notifications

+1 more

rest

Affected surfaces

deps auth

Summary

AI summary

Restrict publish dialog file preview to safe image types preventing same‑origin script execution via crafted SVG.

Full changelog

Features:

Add per-visitor rate limit on new topic creations (visitor-topic-creation-limit-burst / visitor-topic-creation-limit-replenish, defaults 100 burst / 1m replenish) to mitigate topic-enumeration / squatting attacks that inflate the in-memory topic map

Bug fixes + maintenance:

Remove stacktrace-js, stacktrace-gps, humanize-duration, and js-base64 from the web app to reduce dependency and security footprint
Restrict the publish dialog's local file preview to safe image types (png/jpg/gif/webp) to prevent same-origin script execution from blob URLs when previewing a crafted SVG (GHSA-j8hr-p342-xrmh, thanks to @Venukamatchi for reporting)

GHSA-j8hr-p342-xrmh – Restrict publish dialog local file preview to safe image types (png/jpg/gif/webp) preventing same‑origin script execution from crafted SVG

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track ntfy

Get notified when new releases ship.

About ntfy

Send push notifications to your phone or desktop using PUT/POST