Security fixes
This release contains two low severity security fixes:
- GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
- GHSA-6wm6-3vpq-6qvv reports a possible CSRF vulnerability when using certain social login providers because the
stateparameter is not used and checked.
Enhancements
- Add
enableUploads(CMD_ENABLE_UPLOADS) config option to restrict uploads toregisteredusers,allusers or
noneto completely disable uploads. - Allow links to protocols such as xmpp, webcal or geo
- Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
- Ensure compatibility with Node 24
- Protect user history from accidental or malicious deletion by adding a CSRF-like token
- Many enhancements in the documentation at docs.hedgedoc.org
Bugfixes
- Ignore the healthcheck endpoint in the "too busy" limiter
- Send the referrer origin for YouTube embeddings due to their requirement
- Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
- Secure iframes with
credentiallessandsandboxattributes - Fix regexes for
[time=...],[name=...]and[color=...]shortcodes in lists - Use
stateparameter for OAuth2 flows and PKCE where applicable
Node compatibility
- Support for Node 24 was verified. The docker image now uses Node 24 as its base image.