Security Release
This release fixes critical path traversal vulnerabilities that could allow authenticated users to write files to arbitrary locations on the server, leading to Remote Code Execution (RCE).
Security Fixes
- UploadsController: Sanitize
filePathsinput and validate resolved paths stay within share directory - TusdHooksController: Sanitize bundle manifest paths and validate extraction paths
- EmailTemplatesController: Validate template IDs to prevent path traversal
Security Advisory
- Advisory: GHSA-336w-hgpq-6369
- Severity: Critical
- Affected versions: <=0.2.14
Upgrade Instructions
All users running Erugo v0.2.14 or earlier should upgrade immediately.
Credits
Thanks to Leon Phan of AWARE7 GmbH for responsibly disclosing this vulnerability.