Skip to content

seaweedfs

v4.30 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 4d Cloud Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

blob-storage cloud-drive distributed-file-system distributed-storage distributed-systems erasure-coding
+10 more
fuse hadoop-hdfs hdfs kubernetes s3 posix replication s3-storage seaweedfs tiered-file-system

Affected surfaces

auth breaking_upgrade

Summary

AI summary

S3 security hardening, health probes addition, and fixes across filer sync, volume server, replication, and shell modules.

Changes in this release

Security High

Reject `..` sequences in S3 URL path variables to prevent directory traversal attacks.

Reject `..` sequences in S3 URL path variables to prevent directory traversal attacks.

Source: llm_adapter@2026-05-30

Confidence: high
Security High

Authenticate JWT unsigned‑streaming S3 uploads to prevent unauthorized writes.

Authenticate JWT unsigned‑streaming S3 uploads to prevent unauthorized writes.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Medium

Honor MetadataDirective=REPLACE for system metadata on S3 CopyObject operations.

Honor MetadataDirective=REPLACE for system metadata on S3 CopyObject operations.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Medium

Allow anonymous unsigned‑streaming PutObject requests to S3.

Allow anonymous unsigned‑streaming PutObject requests to S3.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Medium

Add `/healthz` and `/readyz` health probes to S3, IAM, Volume, Filer, and Master services.

Add `/healthz` and `/readyz` health probes to S3, IAM, Volume, Filer, and Master services.

Source: llm_adapter@2026-05-30

Confidence: high
Feature Low

Apply keyPrefix in Redis2 KV methods for filer operations.

Apply keyPrefix in Redis2 KV methods for filer operations.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Performance Medium

Make `s3.iam.GetUser` default to the request username if none is specified, reducing round‑trips.

Make `s3.iam.GetUser` default to the request username if none is specified, reducing round‑trips.

Source: llm_adapter@2026-05-30

Confidence: high
Performance Low

Add equal jitter to retry backoff for wdclient and dailyrun processes.

Add equal jitter to retry backoff for wdclient and dailyrun processes.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Validate S3 ownership controls rules to enforce correct ACL configurations.

Validate S3 ownership controls rules to enforce correct ACL configurations.

Source: llm_adapter@2026-05-30

Confidence: high
Bugfix Medium

Guard `BytesToUint{16,32,64}` functions against short input to avoid panics.

Guard `BytesToUint{16,32,64}` functions against short input to avoid panics.

Source: llm_adapter@2026-05-30

Confidence: high
Bugfix Medium

Return immediately on the first error in `DistributedOperation` to avoid cascading failures.

Return immediately on the first error in `DistributedOperation` to avoid cascading failures.

Source: llm_adapter@2026-05-30

Confidence: high
Bugfix Medium

Prune filers dropped from master discovery to keep client lists accurate.

Prune filers dropped from master discovery to keep client lists accurate.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Default PostgreSQL filer upserts to ON CONFLICT to keep transactions alive.

Default PostgreSQL filer upserts to ON CONFLICT to keep transactions alive.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Timeout AllocateVolume/DeleteVolume operations and defer growRequest cleanup on master.

Timeout AllocateVolume/DeleteVolume operations and defer growRequest cleanup on master.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Recover heartbeat‑fulled volumes once they shrink in topology handling.

Recover heartbeat‑fulled volumes once they shrink in topology handling.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Fail replica writes fast when a replica becomes unreachable during replication.

Fail replica writes fast when a replica becomes unreachable during replication.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Avoid nil‑dereference errors when needle map loader fails in volume server.

Avoid nil‑dereference errors when needle map loader fails in volume server.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Prevent panic when URL path contains a dot before the comma in volume handling.

Prevent panic when URL path contains a dot before the comma in volume handling.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Prefer credible replica as canonical metric in EC detection for better accuracy.

Prefer credible replica as canonical metric in EC detection for better accuracy.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Delete empty stub replicas before distributing EC shards to clean up resources.

Delete empty stub replicas before distributing EC shards to clean up resources.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Keep EC .vif when deleting a coexisting regular volume to maintain consistency.

Keep EC .vif when deleting a coexisting regular volume to maintain consistency.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Stop flipping volumes read‑only on a non‑append‑ordered .idx file.

Stop flipping volumes read‑only on a non‑append‑ordered .idx file.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Notify writable volume re‑notification after worker VACUUM operation completes.

Notify writable volume re‑notification after worker VACUUM operation completes.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Validate chunk size in FilerSink to prevent propagation of zero‑byte chunks during sync.

Validate chunk size in FilerSink to prevent propagation of zero‑byte chunks during sync.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Resolve manifest chunks against source filer to ensure correct data retrieval during sync.

Resolve manifest chunks against source filer to ensure correct data retrieval during sync.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Forward entry mime type as ContentType in remote_storage/s3 replication path.

Forward entry mime type as ContentType in remote_storage/s3 replication path.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Bugfix Medium

Forward entry mime type as ContentType in remote_storage/gcs replication path.

Forward entry mime type as ContentType in remote_storage/gcs replication path.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Refactor Low

Remove the inode→path index and decommission the NFS gateway.

Remove the inode→path index and decommission the NFS gateway.

Source: llm_adapter@2026-05-30

Confidence: high
Refactor Low

Avoid unused SQL insert result handling in code paths.

Avoid unused SQL insert result handling in code paths.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Other Low

Add end‑to‑end encode test over multi‑server, multi‑disk stuck layout for EC.

Add end‑to‑end encode test over multi‑server, multi‑disk stuck layout for EC.

Source: granite4.1:30b@2026-05-30-audit

Confidence: low
Full changelog

What's Changed

  • S3

    • s3,iceberg: reject .. in URL path vars by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9687
    • fix(s3tables/iceberg): make metadata spec-compliant and accept real-world manifest names by @qzhello in https://github.com/seaweedfs/seaweedfs/pull/9703
    • fix: validate s3 ownership controls rule by @7y-9 in https://github.com/seaweedfs/seaweedfs/pull/9684
    • fix(s3): honor MetadataDirective=REPLACE for system metadata on CopyObject by @qzhello in https://github.com/seaweedfs/seaweedfs/pull/9721
    • fix(s3): allow anonymous unsigned-streaming PutObject by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9727
    • fix(s3): authenticate JWT unsigned-streaming uploads by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9729
    • perf(s3.iam.GetUser): Make the API default to the request username if not specified by @LightJack05 in https://github.com/seaweedfs/seaweedfs/pull/9746

  • Misc

    • writeJson: drop unused JSONP branch by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9686
    • fix(util): guard BytesToUint{16,32,64} against short input by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9713
    • chore(weed/storage/backend/s3_backend): remove unused function by @alrs in https://github.com/seaweedfs/seaweedfs/pull/9715
    • [docker] add make test_keycloak_s3 for local develop and debug by @kmlebedev in https://github.com/seaweedfs/seaweedfs/pull/9719
    • s3, iam, volume, filer, master: add /healthz and /readyz health probes by @MChorfa in https://github.com/seaweedfs/seaweedfs/pull/9738

  • Filer

    • redis2: apply keyPrefix in KV methods by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9693
    • wdclient: prune filers dropped from master discovery by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9699
    • fix(filer/postgres): default to ON CONFLICT upsert to keep tx alive by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9709
    • refactor(filer): remove the inode->path index and the NFS gateway by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9724
    • refactor: avoid unused sql insert result by @7y-9 in https://github.com/seaweedfs/seaweedfs/pull/9734
    • wdclient, dailyrun: add equal jitter to retry backoff by @MChorfa in https://github.com/seaweedfs/seaweedfs/pull/9737
    • fix: return immediately on first error in DistributedOperation by @rushikesh90 in https://github.com/seaweedfs/seaweedfs/pull/9740

  • Master

    • master: timeout AllocateVolume/DeleteVolume and defer growRequest cleanup by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9698
    • fix(topology): recover heartbeat-fulled volumes once they shrink by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9742
    • topology: fail replica writes fast when a replica is unreachable by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9744

  • Volume Server

    • fix(volume): avoid nil-deref when needle map loader errors (#9694) by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9697
    • fix(volume): avoid panic when URL path has a dot before the comma by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9712
    • fix(ec): prefer credible replica as canonical metric in EC detection by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9717
    • fix(ec): delete empty stub replicas before distributing EC shards by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9722
    • fix(storage): keep EC .vif when deleting a coexisting regular volume by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9723
    • test(ec): end-to-end encode over a multi-server multi-disk stuck layout by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9728
    • fix(volume): stop flipping volumes read-only on a non-append-ordered .idx by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9726
    • fix(vacuum): writable volume re-notification after worker VACUUM by @kisow in https://github.com/seaweedfs/seaweedfs/pull/9732

  • Replication, Filer Sync

    • fix(filer.sync): validate chunk size in FilerSink to prevent 0-byte propagation by @kisow in https://github.com/seaweedfs/seaweedfs/pull/9701
    • fix(filer.sync): resolve manifest chunks against source filer by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9705
    • fix(remote_storage/s3): forward entry mime as ContentType by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9708
    • fix(replication/s3sink): forward entry mime as ContentType by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9710
    • fix(remote_storage/gcs): forward entry mime as ContentType by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9711
    • fix(filer.sync): keep sync_offset fresh through filtered-event markers by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9733

  • Admin Server and Worker

    • fix(vacuum): batch all replicas in a single plugin worker task by @kisow in https://github.com/seaweedfs/seaweedfs/pull/9702

  • Shell

    • fix(shell): don't halt volume.fsck purge on a stuck read-only volume by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9714
    • fix(shell): verify volume.merge output before overwriting replicas by @chrislusf in https://github.com/seaweedfs/seaweedfs/pull/9731

New Contributors

  • @MChorfa made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/9738
  • @rushikesh90 made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/9740
  • @LightJack05 made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/9746

Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.29...4.30

Security Fixes

  • S3 rejects `..` in URL path variables (iceberg) – prevents directory traversal abuse
  • Validate S3 ownership controls rule – closes misconfiguration vulnerability
  • Authenticate JWT unsigned‑streaming uploads – mitigates unauthorized upload risk
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track seaweedfs

Get notified when new releases ship.

Sign up free

About seaweedfs

SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables, designed to handle billions of files with O(1) disk access and effortless horizontal scaling.

All releases →

Related context

Earlier breaking changes

  • v4.24 Version 4.23 is unsafe with multiple disks when using erasure coding (EC).

Beta — feedback welcome: [email protected]