Skip to content

v2.0.3 - Security Update
Compare
Choose a tag to compare
@jasonraimondi jasonraimondi released this 04 Jun 02:41
· 19 commits to main since this release
v2.0.3
b63cc0c
This commit was created on github.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Release Notes - Security Update

  • fix(security): require screenshot protocol to be http/https by @jasonraimondi in #48
    • Resolved a critical arbitrary file read vulnerability in the Playwright screenshot feature.
    • The vulnerability allowed attackers to read arbitrary files on the server using the file:// URI scheme.
    • Restricted URI schemes to only allow http and https for the screenshot feature.
    • Implemented strict input validation and sanitization to ensure only allowed URIs are processed.

This release addresses a severe security issue and is highly recommended for all users. Please update to the latest version as soon as possible to protect your application and sensitive data.

Thank You

Thank you to @timoxoszt for his contribution in finding and reporting this vulnerability.

Full Changelog: v2.0.2...v2.0.3

Contributors

jasonraimondi and timoxoszt
Assets 2
Loading