Skip to content

Pingvin Share X

v1.13.1 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 8mo File Storage & Sync
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

docker fileshare fork self-hosted share

Affected surfaces

auth rce_ssrf deps

Summary

AI summary

Remedies multiple security vulnerabilities including SSRF, path expression injection, and OAuth cookie transmission issues.

Full changelog

First release by myself. Apologies for the difficulties as things got worked out. Expect more releases shortly as I work back through the unmerged PR's from stonith's repo. The main goal of this release, was to get the project and it's deps up-to-date so it can be deployed without worry of attack by known vulns.

Features

  • ui: Add translations for icon descriptions (9cb9eac)
  • ui: Change ActionIcon to Button to add descriptive text (67717b5)
  • ui: Change Header Icon to Button to add descriptive text (9a024c7)
  • ui: Add text labels to action buttons for clarity (84f12e0)
  • ui: Add text labels to action buttons for clarity (3cf148b)
  • ui: Add tooltips and remove text from ActionIcons (2293f6d)

Bug Fixes

  • ui: change button size (1ab1b29)
  • security: remedy potential 'Sever-side request forgery' vuln (73215fb)
  • security: remedy potential 'Uncontrolled data used in path expression' vuln (601a1bb)
  • security: remedy potential 'Uncontrolled data' vulns via validation (ea44573)
  • security: remedy potential 'userside redirect' vuln on error page (e4bd9e6)
  • security: remedy vuln in insecure transmission of oauth cookies (e6d6840)
  • security: update axios to patch dos vuln (5af4958)

Security Fixes

  • Remedy potential 'Server-side request forgery' vulnerability (no CVE ID provided)
  • Remedy potential 'Uncontrolled data used in path expression' vulnerability (no CVE ID provided)
  • Remedy multiple potential 'Uncontrolled data' vulnerabilities via validation (no CVE IDs provided)
  • Remedy potential 'User‑side redirect' vulnerability on error page (no CVE ID provided)
  • Remedy insecure transmission of OAuth cookies (no CVE ID provided)
  • Update axios to patch denial‑of‑service vulnerability (no CVE ID provided)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pingvin Share X

Get notified when new releases ship.

Sign up free

About Pingvin Share X

File sharing platform and WeTransfer alternative

All releases →

Related context

Beta — feedback welcome: [email protected]