This release brings substantial under-the-hood security improvements to both the backend API and the frontend UI, along with safer logging practices.
🛡️ Security Enhancements
- Frontend XSS Patch (Dependabot #561): Updated
postcsstov8.5.10to resolve a vulnerability where</style>sequences were improperly escaped, preventing potential Cross-Site Scripting (XSS) attacks. - SSRF Protection: Strengthened internal and external API request handling to block Server-Side Request Forgery attempts across all connected services (Plex, Jellyfin, Emby, TMDB, TVDB, Webhooks).
- Directory Traversal Prevention: Hardened asset uploading, deletion, and folder browsing to strictly restrict access to designated asset directories.
- Command Sanitization: Improved validation of CLI arguments for background tasks (like ImageMagick processing) to prevent argument injection.
- Log Redaction: Sensitive information such as API Keys, tokens, and PINs are now strictly masked in application logs and the downloadable support ZIP (Only Debug log was affected).
- Safe Error Responses: Genericized HTTP server error responses to prevent internal path and stack trace leaks.
🐛 Bug Fixes & Chores
- Fixed and tightened regex rules used for parsing media titles and masking URLs.
- Improved emoji-stripping rules for filename sanitation.
- Removed deprecated internal routing logic and optimized module imports.
What's Changed
- Sync Main to dev by @fscorrupt in #559
- chore(security): comprehensive security hardening and logging improvements. by @fscorrupt in #560
- fix: update postcss to resolve XSS vulnerability by @fscorrupt in #561
Full Changelog: 2.2.41...2.2.42