Skip to content

Thumbor

v7.8.0 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 4d Media Servers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Affected surfaces

auth deps

Summary

AI summary

Multiple privately reported security issues fixed, including path confinement bypasses and URL signature validation bypass.

Full changelog

Security

This release includes fixes for multiple privately reported security issues.
Users running thumbor in production are strongly encouraged to upgrade to
7.8.0.

Fixed issues include:

  • file_loader path confinement bypasses that could allow reads outside
    FILE_LOADER_ROOT_PATH in affected configurations.
  • URL signature validation bypass involving repeated or encoded hash prefixes.
  • ALLOWED_SOURCES pattern hardening for string-based source restrictions.
  • Denial of service fixes in the convolution filter.
  • Denial of service fix in the proportion filter.

Security advisories will be published with more details and CVE/GHSA references.

What's Changed

  • Remove deprecated license classifier in favor of SPDX expression by @marcelometal in https://github.com/thumbor/thumbor/pull/1738
  • Bump CairoSVG to 2.8.2 by @marcelometal in https://github.com/thumbor/thumbor/pull/1737
  • Bump setuptools to >=78.1.1 by @marcelometal in https://github.com/thumbor/thumbor/pull/1736
  • Expand Pillow version range to allow versions up to <12.0.0 by @marcelometal in https://github.com/thumbor/thumbor/pull/1732
  • Fix SyntaxWarning for invalid escape sequence in byte regex by @marcelometal in https://github.com/thumbor/thumbor/pull/1741
  • Update base image from bullseye to trixie by @marcelometal in https://github.com/thumbor/thumbor/pull/1748
  • chore(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1749
  • chore(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1750
  • chore(deps): bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 in /.github/workflows by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1752
  • Drop support for Python 3.9 by @marcelometal in https://github.com/thumbor/thumbor/pull/1747
  • chore(deps): bump actions/stale from 9 to 10 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1759
  • chore(deps): bump actions/setup-python from 5 to 6 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1758
  • Remove legacy .continuousrc file by @marcelometal in https://github.com/thumbor/thumbor/pull/1756
  • Remove duplicate test file by @sephii in https://github.com/thumbor/thumbor/pull/1754
  • Migrate legacy issue template to new YAML-based format by @marcelometal in https://github.com/thumbor/thumbor/pull/1755
  • Use full SHA for third-party actions by @marcelometal in https://github.com/thumbor/thumbor/pull/1761
  • Update pre-commit hooks to latest versions by @marcelometal in https://github.com/thumbor/thumbor/pull/1767
  • chore(deps): bump actions/download-artifact from 5 to 6 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1769
  • chore(deps): bump docker/login-action from 3.0.0 to 3.6.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1770
  • chore(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1772
  • chore(deps): bump docker/build-push-action from 5.0.0 to 6.18.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1771
  • chore(deps): bump psf/black from 25.9.0 to 25.11.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1778
  • chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.11.1 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1777
  • chore(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1782
  • chore(deps): bump docker/metadata-action from 5.0.0 to 5.10.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1783
  • chore(deps): bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1787
  • chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1786
  • chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1780
  • chore(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1793
  • Convert setup.py to pyproject.toml following PEP 621 by @marcelometal in https://github.com/thumbor/thumbor/pull/1745
  • ci: Prevent actions from running twice on PRs by @guilhermef in https://github.com/thumbor/thumbor/pull/1798
  • chore(deps): bump docker/build-push-action from 6.18.0 to 6.19.2 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1791
  • chore(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1779
  • chore(deps): bump psf/black from 25.11.0 to 26.1.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1792
  • style: format code with black by @marcelometal in https://github.com/thumbor/thumbor/pull/1800
  • Add AGENTS.md by @marcelometal in https://github.com/thumbor/thumbor/pull/1796
  • Add SECURITY.md by @marcelometal in https://github.com/thumbor/thumbor/pull/1795
  • docs: add official Docker image usage to README and hosting docs by @ritoban23 in https://github.com/thumbor/thumbor/pull/1766
  • Maintain compatibility with multiple Pillow versions in ImageCms by @marcelometal in https://github.com/thumbor/thumbor/pull/1788
  • fix package version metadata by @marcelometal in https://github.com/thumbor/thumbor/pull/1807
  • chore(deps): bump docker/metadata-action from 5.10.0 to 6.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1811
  • chore(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1810
  • chore(deps): bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1809
  • chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1813
  • chore(deps-dev): update pytest-cov requirement from <5.0.0,>=4.1.0 to >=4.1.0,<8.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1815
  • chore(deps-dev): update pre-commit requirement from <4.0.0,>=3.6.0 to >=3.6.0,<5.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1812
  • chore(deps-dev): update pytest-asyncio requirement from <1.0.0,>=0.23.3 to >=0.23.3,<2.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1817
  • chore(deps-dev): update pillow-heif requirement from <1.0.0,>=0.22.0 to >=0.22.0,<2.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1816
  • Add support to Python 3.14 by @marcelometal in https://github.com/thumbor/thumbor/pull/1775
  • chore(deps-dev): update pylint requirement from <4.0.0,>=3.0.3 to >=3.0.3,<5.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1814
  • chore(deps): bump pypa/cibuildwheel from 3.4.0 to 3.4.1 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1820
  • chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1821
  • chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1822
  • chore(deps-dev): update isort requirement from <6.0.0,>=5.13.2 to >=5.13.2,<9.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1825
  • chore: make imports compatible with isort 8 by @marcelometal in https://github.com/thumbor/thumbor/pull/1829
  • Remove unused webcolors direct dependency by @marcelometal in https://github.com/thumbor/thumbor/pull/1830
  • chore(deps-dev): update sentry-sdk requirement from <2.0.0,>=1.39.1 to >=1.39.1,<3.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1827
  • chore(deps): update pytz requirement from <2024.0.0,>=2023.3.post1 to >=2023.3.post1,<2027.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1824
  • chore(deps): update pillow requirement from <12.0.0,>=10.4.0 to >=10.4.0,<13.0.0 by @dependabot[bot] in https://github.com/thumbor/thumbor/pull/1823
  • Remove run-time dependency on setuptools by @cjwatson in https://github.com/thumbor/thumbor/pull/1789
  • Use tuple for TIFF header startswith check by @marcelometal in https://github.com/thumbor/thumbor/pull/1831
  • Add metrics for filters by @marcelometal in https://github.com/thumbor/thumbor/pull/1806
  • Respect ALLOWED_SOURCES in the frame filter by @4390c336 in https://github.com/thumbor/thumbor/pull/1819
  • ci: Run ARM build on matching runner by @guilhermef in https://github.com/thumbor/thumbor/pull/1799

New Contributors

  • @sephii made their first contribution in https://github.com/thumbor/thumbor/pull/1754
  • @ritoban23 made their first contribution in https://github.com/thumbor/thumbor/pull/1766
  • @cjwatson made their first contribution in https://github.com/thumbor/thumbor/pull/1789
  • @4390c336 made their first contribution in https://github.com/thumbor/thumbor/pull/1819

Full Changelog: https://github.com/thumbor/thumbor/compare/7.7.7...7.8.0

Security Fixes

  • File loader path confinement bypass fix
  • URL signature validation bypass fix involving repeated/encoded hash prefixes
  • ALLOWED_SOURCES pattern hardening
  • Denial of service fixes in convolution and proportion filters
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Thumbor

Get notified when new releases ship.

Sign up free

About Thumbor

A smart imaging service and enables on-demand cropping, resizing, applying filters and optimizing images.

All releases →

Related context

Beta — feedback welcome: [email protected]