Skip to content

spupuz/VibeNVR

v1.11.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 4mo Media Servers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

ffmpeg lightweight local-storage nvr opensource privacy
+1 more
video-surveillance

Affected surfaces

auth rbac

Summary

AI summary

Automatic orphan recording recovery and corrupted‑file cleanup are now provided.

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.10.3...v1.11.0

VibeNVR v1.11.0 — Recording Management & Orphan Recovery

This release introduces comprehensive recording management with automatic orphan recovery, corrupted‑file cleanup, and improved recording configuration.

🎬 Recording Management & Orphan Recovery

✨ New Features

Automatic Orphan Recovery

  • Startup Recovery: Automatically scans for recordings on disk that are missing from the database and imports them 30 seconds after backend startup.
  • Manual Recovery: A new “Recover Orphaned Recordings” button is available under
    Settings → Maintenance for on‑demand recovery.
  • Thumbnail Generation: Missing thumbnails are automatically generated during recovery.

Corrupted Video Cleanup

  • Automatic Detection: Identifies incomplete or corrupted video files (e.g., missing moov atom, zero duration).
  • Auto‑Cleanup: Removes corrupted files from both disk and database.
  • Deleted Camera Cleanup: Files belonging to removed cameras are automatically purged.

Maximum Movie Length Configuration

  • Slider UI: New slider for configuring max_movie_length (range: 1–5 minutes).
  • Smart Defaults: New cameras default to 120 seconds (2 minutes).
  • Auto‑Correction: Invalid values (0 or >300) are automatically corrected.

🐛 Bug Fixes

  • Thumbnail Deletion: Thumbnails now delete correctly when removing events from the timeline.
  • Clone Settings: Cloning settings no longer overwrites the camera’s active/disabled status.
  • Missing Thumbnails: Recovered recordings now properly generate thumbnails.

🔒 Security

  • Admin‑only endpoint for orphan recovery with 5‑minute rate limiting.
  • Strict path validation prevents directory traversal in all file operations.
  • Audit logging added for administrative actions.
  • All changes reviewed to ensure no new vulnerabilities were introduced.

📋 Technical Changes

  • Added sync_recordings.py for comprehensive orphan management.
  • Updated sync-orphans API endpoint with rate limiting.
  • Fixed indentation bug in events.py thumbnail deletion.
  • Added is_video_valid() for corruption detection.

🚀 Upgrade Notes

After upgrading, the system will automatically:

  • Import any orphaned recordings found on disk
  • Generate missing thumbnails
  • Clean up corrupted or incomplete video files
  • Remove files belonging to deleted cameras

No manual intervention required.

Security Fixes

  • Strict path validation prevents directory traversal in all file operations
  • Admin‑only orphan recovery endpoint now rate‑limited to 5 requests per minute
  • Audit logging added for administrative actions
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track spupuz/VibeNVR

Get notified when new releases ship.

Sign up free

About spupuz/VibeNVR

All releases →

Related context

Earlier breaking changes

  • v1.28.3 Must update docker-compose.yml with TZ variable for all services

Beta — feedback welcome: [email protected]