remark42

v1.16.0 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 12d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

comment-system commenting commenting-engines comments-widget privacy remark42

+1 more

self-hosted

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 11d

Release v1.16.0 hardens security by rejecting non‑image content types, blocking path traversal, and limiting decompression‑bomb dimensions.

Why it matters: These changes block stored XSS, open‑redirect, and SSRF attacks in the image proxy and /picture/ endpoint; they are effective immediately on upgrade to v1.16.0.

Summary

AI summary

Reject non-image content-types, path traversal, and decompression-bomb dimensions to prevent stored XSS, open‑redirect, and SSRF vulnerabilities.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Offers GitHub private vulnerability reporting in security policy. Offers GitHub private vulnerability reporting in security policy. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Rejects decompression‑bomb dimensions before raster decode to avoid resource exhaustion. Rejects decompression‑bomb dimensions before raster decode to avoid resource exhaustion. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Applies SSRF‑safe transport to TitleExtractor and restores gosec G70x rules. Applies SSRF‑safe transport to TitleExtractor and restores gosec G70x rules. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Adds X-Content-Type-Options and Referrer-Policy security headers. Adds X-Content-Type-Options and Referrer-Policy security headers. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Rejects non‑image content types in image proxy and /picture/ to prevent stored XSS. Rejects non‑image content types in image proxy and /picture/ to prevent stored XSS. Source: llm_adapter@2026-05-23 Confidence: low	—
Security	Medium	Closes OAuth open‑redirect vulnerability by wiring AllowedRedirectHosts. Closes OAuth open‑redirect vulnerability by wiring AllowedRedirectHosts. Source: llm_adapter@2026-05-23 Confidence: low	—
Security	Medium	Rejects path traversal attempts in /picture/{user}/{id} endpoint. Rejects path traversal attempts in /picture/{user}/{id} endpoint. Source: llm_adapter@2026-05-23 Confidence: low	—
Security	Medium	Fixes IPv6 address truncation and image‑proxy SSRF vulnerabilities. Fixes IPv6 address truncation and image‑proxy SSRF vulnerabilities. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Adds custom OAuth2 provider support. Adds custom OAuth2 provider support. Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Makes Microsoft Entra ID tenant configurable. Makes Microsoft Entra ID tenant configurable. Source: llm_adapter@2026-05-23 Confidence: high	—
Dependency	Medium	Bumps go modules in backend and example projects. Bumps go modules in backend and example projects. Source: llm_adapter@2026-05-23 Confidence: low	—
Dependency	Medium	Updates Go modules across the codebase. Updates Go modules across the codebase. Source: llm_adapter@2026-05-23 Confidence: low	—
Performance
Performance	Medium	Eliminates wall‑clock sleeps in tests via testing/synctest. Eliminates wall‑clock sleeps in tests via testing/synctest. Source: llm_adapter@2026-05-23 Confidence: low	—
Performance	Medium	Adds node dependency caching to build process. Adds node dependency caching to build process. Source: llm_adapter@2026-05-23 Confidence: low	—
Performance	Medium	Corrects email encoding, stops image‑cleanup CPU spin, and fixes demo template paths. Corrects email encoding, stops image‑cleanup CPU spin, and fixes demo template paths. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix
Bugfix	Medium	Requires explicit ?site= parameter in matchSiteID middleware. Requires explicit ?site= parameter in matchSiteID middleware. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Ensures frontend respects ADMIN_EDIT configuration flag. Ensures frontend respects ADMIN_EDIT configuration flag. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Triggers site rebuild on release events. Triggers site rebuild on release events. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Preserves original verbatim content in edit textarea. Preserves original verbatim content in edit textarea. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Fixes Firefox dark‑mode white background issue on comment iframe. Fixes Firefox dark‑mode white background issue on comment iframe. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Resolves type‑check failure in @remark42/api package. Resolves type‑check failure in @remark42/api package. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor
Refactor	Medium	Builds release artifacts using GoReleaser. Builds release artifacts using GoReleaser. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Uses time.UTC in test fixtures for timezone‑agnostic behavior. Uses time.UTC in test fixtures for timezone‑agnostic behavior. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Modernises Go code with go fix. Modernises Go code with go fix. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Migrates remaining BEM components to CSS Modules (final batch). Migrates remaining BEM components to CSS Modules (final batch). Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Migrates batch 1 components from BEM to CSS Modules. Migrates batch 1 components from BEM to CSS Modules. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Migrates 4 BEM components to CSS Modules. Migrates 4 BEM components to CSS Modules. Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Cleans up deprecated CSS and fixes silent CSS bugs in frontend. Cleans up deprecated CSS and fixes silent CSS bugs in frontend. Source: llm_adapter@2026-05-23 Confidence: low	—
Other	Medium	Documents placeholder support in remark42 div loading. Documents placeholder support in remark42 div loading. Source: llm_adapter@2026-05-23 Confidence: low	—
Other	Medium	Documents that EDIT_TIME=0 disables comment editing and image cleanup. Documents that EDIT_TIME=0 disables comment editing and image cleanup. Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

New Features

custom oauth2 provider #2006 @alexma233
make Microsoft Entra ID tenant configurable #1999 @paskal

Improvements

build release artifacts with GoReleaser #2070 @umputun
use testing/synctest to eliminate wall-clock sleeps #2048 @paskal
use time.UTC in test fixtures to be timezone-agnostic #2047 @paskal
modernise Go code with go fix #2027 @paskal
add node dependency caching #2020 @paskal
document loading placeholder support in remark42 div #2009 @paskal
offer github private vulnerability reporting in security policy f3a7dea1
bump go modules in backend and example #2065 @paskal
update Go modules #2042 @paskal

Bug Fixes

reject non-image content-types in image proxy and /picture/ to prevent stored XSS #2067 @paskal
reject decompression-bomb dimensions before raster decode #2064 @paskal
close OAuth open-redirect by wiring AllowedRedirectHosts #2049 @paskal
require explicit ?site= in matchSiteID middleware #2046 @paskal
reject path traversal in /picture/{user}/{id} #2045 @paskal
apply ssrf-safe transport to TitleExtractor + restore gosec G70x rules #2044 @paskal
IPv6 address truncation and image proxy SSRF vulnerabilities #2016 @umputun
preserve orig verbatim in edit textarea #2041 @paskal
Fix Firefox dark mode white background on comment iframe #2023 @amdevz
Fix frontend not respecting ADMIN_EDIT config #2001 @paskal
Fix email encoding, image cleanup CPU spin, and demo template paths #2000 @paskal
Fix site rebuild on release #1993 @paskal
fix type check failure in @remark42/api package ab9e6675

Other

Migrate remaining BEM components to CSS Modules (final batch) #2015 @paskal
Migrate batch 1 components from BEM to CSS Modules #2014 @paskal
Migrate 4 BEM components to CSS Modules #2013 @paskal
Clean up deprecated CSS and fix silent CSS bugs in frontend #2012 @paskal
Document EDIT_TIME=0 disables comment editing and image cleanup #2010 @paskal
Add X-Content-Type-Options and Referrer-Policy security headers #2008 @paskal
Drop GitHub token permissions on deploy jobs #2007 @paskal
Sync example dependencies after go-modules-updates bump #2005 @app/copilot-swe-agent
Document email template variables and plain-text email setup #2003 @paskal
Clear user placeholder content when comments iframe loads #2002 @paskal
Fix typo in Spanish localization for sort-by #2043 @aroman-arvo
Probe /auth/status from frontend to avoid 401 on /user a4c5e17b
Update backend base image to buildgo-v1.17.0 in Dockerfile cdad560d
dependency bumps (dependabot): #2053 #2052 #2050 #2034 #2032 #2030 #2028 #1997 #1995 #1994 #1984

Security Fixes

Reject non-image content-types in image proxy and /picture/ to prevent stored XSS (#2067)
Close OAuth open-redirect by wiring AllowedRedirectHosts (#2049)
Reject path traversal in /picture/{user}/{id} (#2045)
Apply SSRF‑safe transport to TitleExtractor and fix IPv6 address truncation image proxy SSRF vulnerabilities (#2016)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track remark42

Get notified when new releases ship.

About remark42

Lightweight and simple comment engine, which doesn't spy on users. It can be embedded into blogs, articles or any other place where readers add comments.

All releases →

remark42

ReleasePort's take

Summary

Changes in this release

Security Fixes

Related context

Related tools