Skip to content

3.0.0-alpha.2

Pre-release
Pre-release
Compare
Choose a tag to compare
@ramosbugs ramosbugs released this 13 Jun 06:57
3.0.0-alpha.2
30bbb31

Security patch

The 3.0.0-alpha.1 release included a new HTTP client that utilizes the reqwest crate. By default, reqwest follows HTTP redirects. This allows a malicious OAuth2 authorization server to redirect token endpoint requests to arbitrary URLs, including internal addresses reachable from the client. Such a redirect can be used to mount an SSRF attack.

Versions prior to 3.0.0-alpha.1 are not affected. Users of 3.0.0-alpha.1 are encouraged to upgrade to 3.0.0-alpha.2 or a newer release and are discouraged from using any alpha release in a production environment.

Thanks to @d0nutptr for helping to discover this issue!

Assets 2
Loading