Caution
This release patches two high (CVE-2025-65027 and CVE-2025-65097) and one moderate (CVE-2025-65096) severity vulnerabilities. An attacker who already has an account (with any role) on the instance can, with a special crafted link, gain full administrative control, create a new admin account, or escalate their own privileges. All previous versions are affected, and all server owners should update to this version as soon as possible.
As a precaution, users may be kicked out of their logged-in session when first accessing the app, editing a game or running a scan, which will regenerate session and CSRF cookies. This should only happen once.
Private or single-user instances are not at risk. Server owners should treat any links to RomM from users as suspicious. Further details will be published in 14 days to give server owners time to upgrade.
Minor changes
- [ROMM-2650] Add FPKGi support for PS4/PS5 by @gantoine in #2663
- Use internal SHA1 hash if CHD file is v5 by @sftwninja in #2678
- Add French translations for Metadata Sources page by @tvdu29 in #2684
- Add translations for ROM management dialogs by @tvdu29 in #2686
- Add Czech locale by @Slabak007 in #2693
Fixes
- remove
geon tinfoil releaseDate and let field_validator fix it by @gantoine in #2630 - [ROMM-2628] Fix desirialize job func_name by @gantoine in #2637
- [HOTFIX] Fix importing media from gamelist.xml by @gantoine in #2636
- [ROMM-2639][ROMM-2627] Stop running scans during migration by @gantoine in #2644
- [ROMM-2645] Wrap items in feeds with double quotes by @gantoine in #2647
- [ROMM-2648] Encode filename of download URLs in feeds endpoints by @gantoine in #2649
- [ROMM-2654] Fix manually uploading manual by @gantoine in #2661
- [HOTFIX] Set all v-avatar to text to remove flat background color by @gantoine in #2662
- [ROMM-2657] Safe access env vars with defaults by @gantoine in #2664
- [HOTFIX] _mask_sensitive_values should check for null values by @gantoine in #2670
- [ROMM-2669] Reset url_cover and url_manual to rom value if unchanged by @gantoine in #2671
- [HOTFIX] Fix flashpoint match by UUID by @gantoine in #2681
- [ROMM-2679] Stop force to string url_manual by @gantoine in #2682
- Fix multipart strings by @gantoine in #2688
- Fix CSRF failure on first admin signup by @gantoine in #2691
Other changes
- Bump fastapi, starlette and fastapi-pagination by @gantoine in #2634
- Corrects the indentation level of the "media" list in config.example.yml by @LouiseRipley in #2643
- Bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @dependabot[bot] in #2659
- Add github action to update HLTB API url by @gantoine in #2683
- Implement CSRF middleware directly in repo by @gantoine in #2687
New Contributors
- @LouiseRipley made their first contribution in #2643
- @sftwninja made their first contribution in #2678
- @tvdu29 made their first contribution in #2684
- @Slabak007 made their first contribution in #2693
- @github-actions[bot] made their first contribution in #2689
Full Changelog: 4.4.0...4.4.1