github murtaza-nasir/speakr v0.10.2-alpha

4 hours ago

Speakr v0.10.2-alpha

This release closes a batch of coordinated security reports, upgrades the web framework to the Flask 3.x line, and adds contextual speaker labelling and pause/resume recording. Most instances upgrade with a plain image pull and no configuration change. One security fix changes a default that affects a specific SSO configuration; if you use SSO, please read the action-required note below before upgrading.


Action required for some SSO deployments

Verified-email enforcement is now on by default. Previously, an SSO login whose email claim matched an existing local account was linked and signed in even when the identity provider did not mark that email as verified. A malicious or misconfigured provider, or a public provider where a user can set an arbitrary email claim, could assert someone else's address and take over their local account (GHSA-w4q5-3526-j82j). The guard that refuses an unverified email was previously opt-in; it is now the default.

Who is affected: only deployments that use SSO with an identity provider that does not send an email_verified claim. Every other deployment, including all password-only and email/password instances, is unaffected and needs no action.

What to do: if your provider reliably sends email_verified, no action is needed. If your provider does not send that claim and you trust it, set the following before upgrading so your users can continue to sign in:

SSO_REQUIRE_VERIFIED_EMAIL=false

When this override is active, the application logs a warning at startup so the relaxed setting stays visible to operators. Most mainstream providers (Keycloak, Authentik, Pocket ID, Google, Microsoft Entra) send email_verified, so most SSO deployments will not need the override.


Security fixes

This release resolves three coordinated advisories reported through an AI-assisted open-source security review, plus two dependency-level denial-of-service issues.

  • SSO account takeover via unverified email (GHSA-w4q5-3526-j82j, Medium). Verified-email enforcement is now secure by default, as described above.

  • Stored cross-site scripting via tag color (GHSA-pp32-69wg-97h3, High). A group administrator could set a tag color or name that broke out of an HTML attribute on the account page and ran script in the session of every group member who viewed it. Tag colors are now validated server-side to strict hexadecimal values, and the client-side HTML escaping now also escapes quote characters, so a value can no longer break out of a quoted attribute. This closes the cross-privilege-boundary path from a group administrator to all group members.

  • Webhook server-side request forgery via DNS rebinding (GHSA-2m89-mxcv-gv93, Medium). The webhook dispatcher validated the target URL and then made a separate DNS lookup when connecting, leaving a time-of-check-to-time-of-use window an attacker could use to redirect delivery to an internal address. Delivery now verifies the address the socket actually connected to and aborts before sending the request body if that address is private, loopback, or link-local. The private-address test is shared between validation and the connect-time check so the two cannot disagree, and the explicit intranet allowlist still permits hosts you have deliberately allowed.

  • Multipart denial-of-service in Werkzeug (CVE-2023-46136 and CVE-2024-49767). Both are resolved by the framework upgrade described under Dependencies below.

New features

  • Contextual speaker labelling for engines without voice fingerprints. When automatic speaker labelling is enabled and the transcription engine returns diarized speakers without voice embeddings, Speakr now falls back to identifying speakers from the conversation itself and matching them against your saved speaker profiles. Voice-embedding matching remains the preferred path and runs whenever embeddings are available; the choice is made per recording. The label is constrained to your exact saved profile names, so the model cannot introduce a name you have not saved. The guidance the model follows is editable in the admin Default Prompts tab, and the prompt is laid out to remain prefix-cache friendly. For the most accurate speaker matching, the WhisperX ASR container remains the recommended engine.

  • Pause and resume in-app recording. Long recordings can now be paused and resumed from the recording view. Because pausing freezes the media timeline, breaks are excluded from the recording with no silent gap, which keeps the transcript focused on the actual content.

  • Case-insensitive account matching. Email addresses are normalized on write and matched case-insensitively across login, registration, password reset, administrative user management, and SSO. This fixes a sign-in failure that mobile autofill could cause by adding a trailing space, and it makes matching consistent regardless of letter case. A one-time migration lowercases existing stored addresses.

Fixes and improvements

  • Malformed browser recording uploads (#340). A recording assembled from browser chunks could occasionally be uploaded with its container header out of place, which caused server-side conversion to fail. Recording chunks are now written in a strictly ordered way so a crash-recovered recording keeps the correct order, and the server repairs a recording whose header is not at the front before giving up.

  • API documentation page (#337). The /api/v1/docs Swagger page rendered as a blank page under the security headers introduced in v0.10.1 because it loaded assets from a public CDN. Those assets are now served from the application itself, so the page renders under the default Content-Security-Policy with no configuration change.

  • Clearer transcription-failure messages. When the transcription engine returns an internal error, Speakr now shows a plain explanation with useful guidance rather than a raw internal traceback, and it strips terminal control codes that some engines include in their error output. The full technical detail remains available under the details panel.

  • Recording and chat interface polish. The upload split-button menu is now a proper popover consistent with the rest of the interface, and the chat input receives focus when the chat panel opens, so you can type immediately.

Dependencies

  • Flask upgraded to 3.1.0 and Werkzeug to 3.1.3. This moves Speakr onto the current framework line and closes both Werkzeug multipart denial-of-service issues (CVE-2023-46136 and CVE-2024-49767). No configuration or data changes are required; the upgrade is contained in the image. Existing sessions remain valid, so users are not signed out by the upgrade.

Upgrading

docker compose pull && docker compose up -d

If you use SSO with a provider that does not send an email_verified claim, set SSO_REQUIRE_VERIFIED_EMAIL=false first, as described in the action-required note above. All other deployments require no configuration change.

Credits

Thank you to the reporters who made this release possible: Patrick Cornelissen (KIberblick.de) for the coordinated security advisories and the dependency review, and to the community members who reported the recording upload, API documentation, and pause-recording issues. Careful, well-documented reports like these make the project safer for everyone.

Don't miss a new speakr release

NewReleases is sending notifications on new releases.