Hyphanet

Network Security

A peer‑to‑peer platform for censorship‑resistant communication and publishing

Track releases GitHub Website

Java Latest build01506 · 3mo ago Security brief →

Features

Provides a distributed, encrypted, decentralized datastore
Enables building forums, chat applications, and other web services on top of the network
Runs as a peer‑to‑peer daemon (Fred) across multiple operating systems

Recent releases

View all 3 releases →

build01506 Bug fix 3mo

Fixed download failures caused by inconsistent hash mismatches during compressed uploads.

Full changelog

Freenet / Hyphanet 0.7.5 build 1506 is now available.

Fix regressions that caused changes to uploads with compression for large files:

fix upload hashing input stream regression. Thanks to Bombe!
fix concurrent access regression in SkipShieldingInputStream. Thanks to Bertm!
do not embed the shorthands for new MIME types into compressed uploads. Thanks to Bertm!

This fixes an issue with downloads failing with the error
"The hashes in the metadata do not match the actual data".
It wasn’t an issue in the network, but a problem in the
hashing during upload compression where multiple uploads
interfered with each other and the input stream wasn’t always
drained completely.

The cause were regressions due to side effects of performance optimization and refactorings.
Also added MIME types had a side effect on compressed uploads, because with compression
known MIME types get replaced with an index to save space. But this changed upload keys
for files that had already used these newly added MIME types from an older version.

All three issues are fixed now and the keys generated during upload are hashed consistently
and match the old keys again.

Thank you for using Hyphanet!

Arne Babenhauserheide

Developer changelog:

2026-02-15

Changes in 1506:

Fix regressions that caused changes to uploads with compression for large files:

fix upload hashing input stream regression. Thanks to Bombe!
fix concurrent access regression in SkipShieldingInputStream. Thanks to Bertm!
do not embed the shorthands for new MIME types into compressed uploads. Thanks to Bertm!
Arne Babenhauserheide (release manager)

Arne Babenhauserheide (1):
update NEWS.md

Arne Babenhauserheide (freenet releases) (2):
Update default bookmark editions
Build 1506

Bert Massop (2):
SkipShieldingInputStream: do not assume buffer is never read
Do not compress recently added MIME types in Metadata

David ‘Bombe’ Roden (2):
♻️ Add getter for insert context
🐛 Exhaust input streams completely when hashing

View release on GitHub

build01505 Breaking risk 3mo

Security fixes

Fixed remote code execution vulnerability in download progress bar JavaScript by removing unsafe innerHTML updates.

Full changelog

Freenet / Hyphanet 0.7.5 build 1505 is now available.

This release fixes a vulnerability in the progress bar of downloads via the web interface (fproxy).

The Javascript code for updating the progress bar used the innerHTML selector to show updates from the server without protecting these with a server key, so a finishing download could be interpreted as new content, injecting arbitrary code into the download page.

This code existed since 2009. Nowadays you’d use server-sent-events (SSE) or a websocket for this, but when the code was added, those were not available yet.

We removed the whole Javascript file and will be removing more legacy Javascript in future releases.

We are not aware of any exploit of this vulnerability.

Thank you for using Hyphanet!

Developer changelog:

2026-02-08

Changes in 1505:

Fix vulnerability in the download progress bar. Found, responsibly disclosed, and fixed by bertm. Thank you very much!

Thank you for using Hyphanet!

Bert Massop (1):
Remove progress page background fetching

View release on GitHub

build01504 Breaking risk 4mo

⚠ Upgrade required

Migrate any existing Java runtime for Hyphanet nodes to at least Java 8 before upgrading.
Review plugin configuration as seed IDs have been updated in WebOfTrust.

Breaking changes

WebOfTrust plugin now requires Java 8 (previously compatible with older JVMs).
JSTUN plugin now requires Java 8 (previously compatible with older JVMs).

Notable features

Updated WebOfTrust to version 0.4.5 build 21, replacing dead seed IDs with active ones.
Updated JSTUN to version 1.5, using a list of always‑online STUN servers and removing dead entries.

Full changelog

Freenet 0.7.5 build 1504 is now available.

This release brings updates to plugins, optimization for routing,
cleanups and upkeep.

Plugin updates

WebOfTrust got updated to 0.4.5 build 21. Dead seed IDs
got replaced by active ones. Thanks to xor!

JSTUN was updated to version 1.5: dead STUN servers are replaced with
a list of standard servers to make Hyphanet nodes which require STUN
to find their IP address harder to fingerprint. Thanks to Bombe!

Optimization

Bertm did multiple performance optimizations deep in our core:
MultiHash{Input,Output}Stream, BlockTransmitter, MersenneTwister, and
RunningAverage. Thank you!

Fixes

Continue securely deleting the file if IOException occurred and add logging, thanks to torusrxxx!
Preserve the order of peers when updating handshake IPs
🚸 Build source JAR in a more reproducible way, thanks to Bombe!
Show radiobuttons on sky dark static theme for WoT
Update debian package to 1503, thanks to qupo1!

Cleanups

Torusrxxx polished PeerManager and version transitions
Bombe made tests cleanup files after the run
Bombe removed translation strings of removed features

Thank you!

State of the Art upkeep

The PNG filter supports HDR chunks, thanks to Bombe and torusrxxx!
Translations and the Localization Labs tooling setup are up to date again
Update MIME types, thanks to torusrxxx!
Bump Gradle to 8.14.3, thanks to qupo1!
Update Github Actions versions. Thanks to qupo1!
CONTRIBUTING file: Add "no spurious changes" note
Link bugs via bugs.hyphanet.org, replace dead URIs, Suggest IRC
username SecRabbit in SECURITY.md, replace mailing lists reference
by FMS

Thank you for using Hyphanet!

Plugin updates

java installer:

Disable verifyjar due to incompatibility
Add more seednodes

WebOfTrust plugin (thanks to xor!):

Replace old seed IDs by active ones.
- New seeds: Adilson_Lanpo, ArneBab, HieronymusCH.
- Removed seeds (haven't been active in a long time): operhiem1, toad_, zidel
Update github actions.
Require Java 8.

JSTUN plugin (thanks to Bombe!):

Use public always-online STUN server list (makes JSTUN accesses harder to identify as Hyphanet).
Remove Dead STUN Servers.
Require Java 8.

Shortlog

Arne Babenhauserheide (23):
Contributing: replace mailing lists by FMS
Update debian package to 1503
radiobuttons: special case WoT so the buttons show up
Use subshell in command of readme to avoid changing the dir
Add albanian translation from transifex
Fix transifex config (to work with the new tx cli: saves the token).
Add all translations from transifex with 15% or more translated
Cleanup German (remove english + one wording choice)
Remove more untranslated and unused strings
Remove l10n for removed feature. Thanks to Bombe!
Remove l10n for removed feature. Thanks to Bombe!
Log FCP IOErrors on normal to make FCP errors due to disk space trackable
Preserve the order of peers when updating handshake IPs
switch to stream distinct
Remove unused import
CONTRIBUTING: Add "no spurious changes" note
Link bugs via bugs.hyphanet.org
Suggest IRC username SecRabbit in SECURITY.md
add missing NEWS entries for 1500, 1501, 1502 and 1503
Update WebOfTrust plugin to 0.4.5 build 21
Update plugin JSTUN to version 1.5 (6).
Add plugins WebOfTrust and JSTUN to NEWS
match NEWS to the PRs already merged into next

Arne Babenhauserheide (freenet releases) (9):
Update default bookmark editions
Build 1497
Build 1498
Update default bookmark editions
Update default bookmark editions
sign strict, but skip verify due to version incompatibilities
Update default bookmark editions
undo strict signing again
Build 1504

Bert Massop (13):
RunningAverage: replace synchronization with immutable state
RunningAverage: reduce bookkeeping in SimpleRunningAverage
RunningAverage: basic cleanup of MedianMeanRunningAverage
RunningAverage: deprecate MedianMeanRunningAverage and replace its uses
Invalid reports do not change BootstrappingDecayingRunningAverage value
Use MersenneTwister without synchronization where possible
Use dedicated Random instance for each PeerNode
BlockTransmitter: delay BlockSenderJob asynchronously on the Ticker
Ensure mark/reset support is not advertised for hash stream
Simplify MultiHash{Input,Output}Stream
MultiHashDigester: use List instead of arrays
Add basic tests for MultiHash* streams
Switch to compatible general radiobutton display.

David ‘Bombe’ Roden (9):
✨ Add task to build source JAR
✅ Add utility for testing PNGs
✅ Add tests for additional harmless PNG chunks
✅ Disallow cICP after PLTE or IDAT chunks
✅ Disallow mDCV after PLTE and IDAT and without cICP
🚸 Build source JAR in a more reproducible way
🔥 Change tests to remove files used by tests
🔥 Use different temp directories for tests
♻️ Use TempFolder @Rule to provide temporary directories

Marco Gruß (2):
Replace obsolete seednode URIs
More obsolete URIs

Torusrxxx (2):
Add a bunch of more new MIME types
Remove duplicated MIME type

qupo1 (3):
bump Gradle to 8.14.3
update actions/checkout to v5
update Actions version

torusrxxx (11):
Add support for new HDR chunks in PNG
Add cICP chunk validation in PNG filter
Test that certain PNG chunks must come before PLTE
Fix code styles
Fix code style
Add parameter javadoc
Continue deleting other files when some fail to delete in FileUtils
Continue securely deleting the file if IOException occurred and add logging
Remove expired version transition date
Remove scheduleVersionTransition
PeerManager Cleanup

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.