Skip to content

spupuz/VibeNVR

v1.19.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3mo Media Servers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

ffmpeg lightweight local-storage nvr opensource privacy
+1 more
video-surveillance

Affected surfaces

auth

Summary

AI summary

2FA Recovery Codes system automatically generates single-use hashed codes to prevent lockouts.

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.18.2...v1.19.0

VibeNVR v1.19.0 "Security & Recovery Update"

This minor release introduces critical security enhancements, a robust 2FA fallback system, UI improvements, and foundational changes to our AI collaboration and documentation guidelines.

🛡️ Security & Authentication

  • 2FA Recovery Codes System: 2FA setup now automatically generates 10 hashed, single-use Recovery Backup Codes to prevent administrative lockouts. Recovery codes can be downloaded directly from the UI.
  • Trusted Devices ("Remember Me"): Added the ability to mark a personal device as securely "Trusted" during a 2FA login, bypassing the prompt safely for a set duration.
  • Password Strength & Verification: Password validation natively relies on Argon2 hashing, providing built-in resilience against brute-force attacks across all authentication methodologies.

💻 UI / UX Refinements

  • Password Management: Replaced the ambiguous "Key" icon with a prominent "Change Password" button in User Settings, triggering a dedicated, user-friendly modal.
  • Action Confirmations: Completely stripped out clunky native browser confirm alerts (window.confirm()) in favor of our modern, unified React <ConfirmModal />.
  • Profile Modal Flow: Fixed an esoteric bug where successfully enabling 2FA would inadvertently cause React to unmount the recovery settings before they could be read. Profile state and routing checks are now perfectly synchronized.

📖 Documentation & Standardization

  • English-Only Policy Enforced: The VibeNVR documentation and codebase officially standardize on English. README.md updated to reflect this policy.
  • Dedicated SECURITY.md: Extracted and expanded our security architecture, RBAC logic, data sanitization rules, and vulnerability disclosure directives (Mozmail) into an independent, public document.
  • AI Guidelines: Created AGENTS.md and AI_POLICY.md to rigorously instruct human and AI contributors on our strict coding methodology, ensuring future code continues to match our security posture.
  • Prepared GitHub Wiki: Stubbed out WIKI_HOME.md and WIKI_LOCAL_RECOVERY.md ready for deployment to the project's GitHub Wiki space.

Security Fixes

  • Argon2 hashing now used natively for password validation, enhancing brute-force resistance
  • Removed native browser `window.confirm()` alerts in favor of unified React confirmation dialogs
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track spupuz/VibeNVR

Get notified when new releases ship.

Sign up free

About spupuz/VibeNVR

All releases →

Related context

Earlier breaking changes

  • v1.28.3 Must update docker-compose.yml with TZ variable for all services

Beta — feedback welcome: [email protected]