github dunglas/mercure v0.24.2
on GitHub

2 hours ago

Community

Mercure 0.24.2 is a security hardening release. It closes an SSE field-injection vector (CWE-93), blocks forgery of the hub's reserved subscription-event topics, fixes a metadata leak in history replay, and adds count caps that defang several denial-of-service amplification vectors. Every hub operator should upgrade.

🔒 Security

  • SSE field injection via id and type (CWE-93). The publish form fields id and type were copied verbatim into the outgoing SSE stream; a CR, LF, or NUL let an authorized publisher inject arbitrary event: / id: / data: lines into every subscriber's stream. The hub now rejects such values with 400 Bad Request. by @dunglas in #1259
  • Reserved topic namespace forgery. Publishes targeting /.well-known/mercure — the namespace the hub uses for its own subscription events — were dispatched, letting a broad-scope publisher forge subscription lifecycle events to other subscribers. Now rejected with 403 Forbidden. by @dunglas in #1259
  • Last-Event-ID metadata disclosure. On reconnect with an unknown Last-Event-ID, the response header echoed the most recent event ID even when that event was a private update the subscriber wasn't authorized to read. The history scan now applies the authorization match before setting the header. by @dunglas in #1259
  • Denial-of-service amplification caps. Transport byte limits bound request size but not parsed element counts: a 1 MiB JWT fits ~30k matchers, a long URL thousands of topic params — each multiplying per-event work for every subscriber. New caps (default 1000) on JWT claim matchers (401), subscribe topic params (400), and publish topic fields (400), plus a 10000-event cap on the Last-Event-ID backward history scan. by @dunglas in #1259, #1260

📖 Documentation & API

  • Update.Validate is now exported. Library callers that dispatch through a Transport directly bypass Hub.Publish, where the CR/LF/NUL validation lives. Update.Validate is now public and Transport.Dispatch documents that direct callers must call it and reject on error. by @dunglas in #1266
  • SECURITY.md documenting the maintenance and disclosure policy. by @dunglas in #1257

Enterprise

Mercure Enterprise (on-premise) and Mercure Cloud pick up the same hardening fixes: SSE field-injection rejection, reserved-topic forgery blocking, the Last-Event-ID disclosure fix, and the DoS amplification caps. Cloud tenants are being rolled onto this release; on-premise customers should upgrade to the matching hub build.

These fixes ship under the Enterprise SLA, with prioritized patches and direct support. Contact contact@mercure.rocks for the managed Cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.24.1...v0.24.2

Check out latest releases or
releases around dunglas/mercure v0.24.2

Don't miss a new mercure release

NewReleases is sending notifications on new releases.

Get notifications