Freenet / Hyphanet 0.7.5 build 1505 is now available.
This release fixes a vulnerability in the progress bar of downloads via the web interface (fproxy).
The Javascript code for updating the progress bar used the innerHTML selector to show updates from the server without protecting these with a server key, so a finishing download could be interpreted as new content, injecting arbitrary code into the download page.
This code existed since 2009. Nowadays you’d use server-sent-events (SSE) or a websocket for this, but when the code was added, those were not available yet.
We removed the whole Javascript file and will be removing more legacy Javascript in future releases.
We are not aware of any exploit of this vulnerability.
Thank you for using Hyphanet!
- AB
Developer changelog:
2026-02-08
Changes in 1505:
- Fix vulnerability in the download progress bar. Found, responsibly disclosed, and fixed by bertm. Thank you very much!
Thank you for using Hyphanet!
- AB
Bert Massop (1):
Remove progress page background fetching