github tale/headplane v0.6.3
on GitHub

latest release: v0.7.0-beta.3
4 hours ago

Security Hotfix

This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.

Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.

Users running Headplane 0.6.2 or earlier should upgrade to 0.6.3.

Docker images:

  • ghcr.io/tale/headplane:0.6.3
  • ghcr.io/tale/headplane:latest

Thank you for @kah-ja for helping discover this.

Full Changelog: v0.6.2...v0.6.3

Check out latest releases or
releases around tale/headplane v0.6.3

Don't miss a new headplane release

NewReleases is sending notifications on new releases.

Get notifications