Skip to content

Wmux

v2.4.2 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 2mo CLI & Terminal
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

agentic-ai ai-agent ai-agents ai-coding browser-automation claude
+12 more
claude-code coding-agent developer-tools electron gemini mcp-server multi-agent powershell terminal-multiplexer tmux tmux-alternative windows

Affected surfaces

auth rbac rce_ssrf

Summary

AI summary

Session persistence now saves terminal state across restarts with up to 30 seconds of potential output loss.

Full changelog

v2.4.2
Session Persistence & Recovery
Wmux now remembers your sessions across restarts. Terminal sessions are automatically saved on exit and restored on next launch — including scrollback history.
What's new

Sessions survive daemon restarts, crashes, and reboots
Scrollback buffer is preserved and restored per session
Live sessions are snapshotted every 30 seconds — at most 30 seconds of output is lost on a forced kill or power loss
On Windows, a synchronous save fires on process exit as a last resort
Corrupted state files fall back to .bak automatically

Session data is stored in ~/.wmux/sessions.json and ~/.wmux/buffers/.

Security Hardening
Six security fixes contributed by @Zurgli.

Browser RPC boundary — removed raw CDP passthrough; clients can no longer execute arbitrary DevTools commands
SSRF enforcement — navigation policy now validates resolved IP addresses, including IPv6-mapped IPv4 (::ffff:x.x.x.x) bypass
Filesystem bridge — symlink traversal blocked via realpath double-check before sensitive path validation
Browser profile isolation — each surface now uses its own partition instead of a shared one
Export path restriction — PDF and trace exports are confined to a controlled output directory
Token hardening — Windows ACL hardening applied consistently to both daemon and MCP auth tokens

Contributors
@Zurgli — first external contribution, both PRs

Security Fixes

  • Removed raw CDP passthrough — prevents arbitrary DevTools command execution (Browser RPC boundary)
  • SSRF enforcement now validates resolved IP addresses including IPv6‑mapped IPv4 (::ffff:x.x.x.x) bypass
  • Symlink traversal blocked via realpath double‑check before sensitive path validation (Filesystem bridge)
  • Each browser surface uses its own partition — isolates profiles (Browser profile isolation)
  • PDF and trace exports confined to a controlled output directory (Export path restriction)
  • Windows ACL hardening applied consistently to daemon and MCP auth tokens (Token hardening)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Wmux

Get notified when new releases ship.

Sign up free

About Wmux

All releases →

Related context

Beta — feedback welcome: [email protected]