ktistec

v3.3.9 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 14d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

activitypub crystal

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 14d

Ktistec v3.3.9 closes DNS rebinding window for outbound requests, limits HTTP body sizes, sanitizes RSS CDATA output, and destroys sessions on account termination.

Why it matters: DNS rebinding, HTTP body size, and RSS CDATA issues are patched. Upgrade to v3.3.9 now for instances with federation, RSS feeds, or public HTTP endpoints.

Summary

AI summary

Close DNS rebinding window, limit HTTP body size, sanitize RSS feeds to prevent CDATA breakout.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	New Mastodon-compatible APIs added. New Mastodon-compatible APIs added. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Destroy all sessions and access tokens on account termination. Destroy all sessions and access tokens on account termination. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Performance	Medium	Process local recipients in-process in inbox/outbox activity processors. Process local recipients in-process in inbox/outbox activity processors. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix
Bugfix	Medium	Limit the size of HTTP bodies the server reads. Limit the size of HTTP bodies the server reads. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Close DNS rebinding window for outbound HTTP requests. Close DNS rebinding window for outbound HTTP requests. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Sanitize RSS feed output to prevent CDATA breakout. Sanitize RSS feed output to prevent CDATA breakout. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Refactor	Medium	Ensure all GET and POST requests utilize `Ktistec::Network`. Ensure all GET and POST requests utilize `Ktistec::Network`. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Added

New Mastodon-compatible APIs.

Fixed

Close DNS rebinding window for outbound HTTP requests.
Limit the size of HTTP bodies the server reads.
Sanitize RSS feed output to prevent CDATA breakout.
Destroy all sessions and access tokens on account termination.

Changed

Ensure all GET and POST requests utilize Ktistec::Network.
Process local recipients in-process in inbox/outbox activity processors.

Security Fixes

Close DNS rebinding window for outbound HTTP requests
Limit the size of HTTP bodies the server reads to mitigate abuse
Sanitize RSS feed output to prevent CDATA breakout

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ktistec

Get notified when new releases ship.

About ktistec

ActivityPub (https://www.w3.org/TR/activitypub/) server for individual users and small groups.

All releases →