Kévin Dunglas

🔒 Mercure 0.24.2 is out, a security hardening release for the real-time hub.

It rejects SSE field injection (CWE-93) via the id and type fields, blocks forgery of the reserved /.well-known/mercure namespace, fixes a Last-Event-ID metadata leak, and caps element counts to defang DoS amplification.

Every hub operator should upgrade.

https://github.com/dunglas/mercure/releases/tag/v0.24.2

#opensource #mercure #realtime

Release v0.24.2 · dunglas/mercure

Community Mercure 0.24.2 is a security hardening release. It closes an SSE field-injection vector (CWE-93), blocks forgery of the hub's reserved subscription-event topics, fixes a metadata leak in ...

GitHub
Jun 2 at 8:56amBuffer