Zero-TOTP

Secrets & Credentials

A zero‑knowledge TOTP client that lets you store and retrieve authentication codes across web, iOS, and CLI interfaces securely.

Track releases GitHub Website

Python Latest v1.13.1 · 13d ago Security brief →

Features

Zero‑knowledge encryption for full control of stored TOTP codes
Available as a web app, iOS app, and CLI tool
Multi‑location vault storage (default DB, Google Drive, local machine)
Self‑hostable via Docker containers with simple deployment instructions

Recent releases

View all 13 releases →

Review required

v1.13.1 Breaking risk 13d

Auth Breaking upgrade Dependencies

Security patch + vault update flow

Open

v1.12.3 Breaking risk 1mo

Minor fixes and improvements.

Full changelog

Before upgrading carefully read the following warning :

[!caution]
We introduced breaking changes in v1.12. Carefully read v1.12.1's release notes if upgrading from v1.11 or prior.
Upgrade from v1.12.x to this version (v1.12.3) should be painless.

[!important]
This version brings security patch. Upgrade is highly recommended.

🐳 New Docker images

Update available upon the following tags : 1.12, 1.12.3 and latest.
Recommended tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12

Exact tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12.2
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12.3

Latest tag:

API : ghcr.io/seaweedbraincy/zero-totp-api:latest
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

build(deps-dev): bump tar from 7.5.7 to 7.5.11 in /frontend by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/392
build(deps): bump flatted from 3.3.3 to 3.4.2 in /frontend by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/396
build(deps): bump werkzeug from 3.1.5 to 3.1.6 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/402
build(deps): bump flask from 3.1.1 to 3.1.3 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/401
build(deps): bump aiohttp from 3.13.3 to 3.13.4 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/400
build(deps): bump cryptography from 46.0.2 to 46.0.6 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/399
build(deps): bump lodash from 4.17.23 to 4.18.1 in /frontend by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/403
build(deps): bump dompurify from 3.3.1 to 3.3.3 in /frontend by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/398
build(deps): bump requests from 2.32.4 to 2.33.0 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/397
build(deps): bump pyasn1 from 0.5.0 to 0.6.3 in /api by @dependabot[bot] in https://github.com/SeaweedbrainCY/zero-totp/pull/395

View release on GitHub

v1.12.2 Breaking risk 3mo

Breaking changes

v1.12 contains breaking changes; refer to v1.12.1 release notes when upgrading from v1.11 or earlier

Security fixes

CVE-2025-15284
CVE-2026-23950
CVE-2026-24842

Full changelog

Before upgrading carefully read the following warning :

[!caution]
We introduced breaking changes in v1.12. Carefully read v1.12.1's release notes if upgrading from v1.11 or prior.
Upgrade from v1.12.1 to this version (v1.12.2) should be painless.

[!important]
This version brings security patch. Upgrade is highly recommended.

🐳 New Docker images

Update available upon the following tags : 1.12, 1.12.2 and latest.
Recommended tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12

Exact tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12.2
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12.2

Latest tag:

API : ghcr.io/seaweedbraincy/zero-totp-api:latest
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's fixed

Bump qs from 6.14.0 to 6.14.1 in /frontend to fix CVE-2025-15284. PR #365 by @SeaweedbrainCY
Bump tar and @angular/cli in /frontend to fix CVE-2026-23950, CVE-2026-24842, CVE-2026-23745. PR #377 by @SeaweedbrainCY
Bump @angular/core from 20.3.15 to 20.3.16 in /frontend to fix CVE-2026-22610. PR #370 by @SeaweedbrainCY
Bump python-multipart from 0.0.18 to 0.0.22 in /api to fix CVE-2026-24486. PR #376 by @SeaweedbrainCY
Bump protobuf from 6.31.1 to 6.33.5 in /api to fix CVE-2026-0994. PR #378 by @SeaweedbrainCY
Bump filelock from 3.18.0 to 3.20.3 in /api to fix CVE-2025-68146, CVE-2026-22701. PR #372 by @SeaweedbrainCY
Bump werkzeug from 3.1.4 to 3.1.5 in /api to fix CVE-2026-21860. PR #368 by @SeaweedbrainCY
Bump virtualenv from 20.30.0 to 20.36.1 in /api to fix CVE-2026-22702.PR #371 by @SeaweedbrainCY

View release on GitHub

v1.12.1 Breaking risk 4mo

Breaking changes

Database migration required that deletes all session tokens
New session flow and lifetime management

Security fixes

CVE-2025-66418
CVE-2025-66471
CVE-2025-69224

Notable features

Session lifetime increased with new session flow
API prepared for user-managed encrypted session information

Full changelog

Before upgrading carefully read the 4 following warnings :

[!warning]
This version requires a database migration
Make sure to follow Zero-TOTP docs to properly backup and then migrate your database

[!caution]
IMPORTANT : This specific migration will delete all session tokens in the database. This means all users will be disconnected when applying the migration.

[!important]
This version brings a new flow regarding users' sessions and their lifetime
Please carefully read this blog post related to this new approach to understand how sessions are now handled and what can be configured

[!important]
This version brings security patch. Upgrade is highly recommended.

🐳 New Docker images

Update available upon the following tags : 1.12, 1.12.1 and latest.
Recommended tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12

Exact tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.12.0
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.12.1

Latest tag:

API : ghcr.io/seaweedbraincy/zero-totp-api:latest
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

IMPORTANT: Users' session lifetime are globally increased with a new session flow. PR #364 by @SeaweedbrainCY.
- Carefully read the related blog post to understand the changes.
API is prepared to receive further update where the user will be able to store encrypted information about session, see them and revoke them. PR #364 by @SeaweedbrainCY.
The overall hardening of how session are validated has been reviewed. More particularly the API is now more severe if a potential attack or manipulation is detected. For example the re-use or bad use of some authentication tokens will cause their expiration to be forced by the API to avoid any compromission. PR #364 by @SeaweedbrainCY.

What's fixed

Bump urlib3 to 2.6.3 to fix CVE-2025-66418, CVE-2026-21441 & CVE-2025-66471. PR #364 by @SeaweedbrainCY.
Bump aiohttp to 3.13.3 to fix CVE-2025-69224, CVE-2025-69230, CVE-2025-69225, CVE-2025-69226, CVE-2025-69229, CVE-2025-69227, CVE-2025-69228, CVE-2025-69223. PR #366 by @SeaweedbrainCY.
Fix a bug causing the user deletion to return an error in some scenarios. PR #364 by @SeaweedbrainCY.

View release on GitHub

v1.11.3 Security relevant 5mo

Security fixes

CVE-2025-62727
CVE-2025-66035
CVE-2025-58752

Full changelog

🐳 New Docker images

Update available upon the following tags : 1.11, 1.11.3 and latest.
Recommended tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.11
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.11

Exact tag :

API : ghcr.io/seaweedbraincy/zero-totp-api:1.11.3
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:1.11.3

Latest tag:

API : ghcr.io/seaweedbraincy/zero-totp-api:latest
Frontend : ghcr.io/seaweedbraincy/zero-totp-frontend:latest

What's Changed

Multi-image build is now optimized with several working, building in parrallel.
Reduce the number of file copied in docker image via allowlisting and specific declaration.
Switch API base image to alpine to reduce the base image size.
Build API in multi-stage to get rid of unecessary build cache files.
Merge all deploy cicd in only one file. The difference between dev and prod environnements in handled in the workflow directly. This will help to keep a dev iso to prod.
Add schedule and regular trivy image scan to improve vulnerability covering.

What's fixed

Upgrade starlette to version 0.49.1. Fix CVE-2025-62727.
Upgrade angular from 20.0.5 to 20.3.1. Fix CVE-2025-66035, CVE-2025-58752, CVE-2025-58751, CVE-2025-62522, CVE-2025-64756, CVE-2025-66412.
Fix CVE-2025-59288. PR #346.
Fix CVE-2025-66221. PR #361.
Fix CVE-2025-66418 & CVE-2025-66471. PR #362.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.