NOTICE! Upgrade SVR.JS to 3.10.2/3.4.34 or newer
Posted: September 7th, 2023, 11:24 pm
ATTENTION! Upgrade SVR.JS to 3.10.2, 3.4.34 LTS or newer!
We have discovered more security vulnerabilites, this time in SVR.JS itself. We have patched SVR.JS, but we recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
Unpatched versions didn’t properly sanitize URLs for SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE: We have discovered and mitigated even more security vulnerabilites in SVR.JS itself. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
Unpatched versions didn’t properly enforce access control for non-proxy SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE 2: We have discovered and mitigated security vulnerabilites in SVR.JS itself even further. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
UPDATE 3: SVR.JS versions from 3.9.6 to 3.10.1 had a bug with wrong mod loading order. The bug is related to mod access control vulnerability mitigation. The bug didn’t affect LTS versions. The bug is fixed in SVR.JS 3.10.2.
We have discovered more security vulnerabilites, this time in SVR.JS itself. We have patched SVR.JS, but we recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.2 and newer
- SVR.JS 3.4.30 LTS and newer
Unpatched versions didn’t properly sanitize URLs for SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE: We have discovered and mitigated even more security vulnerabilites in SVR.JS itself. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.3 and newer
- SVR.JS 3.4.31 LTS and newer
Unpatched versions didn’t properly enforce access control for non-proxy SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE 2: We have discovered and mitigated security vulnerabilites in SVR.JS itself even further. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.6 and newer
- SVR.JS 3.4.34 LTS and newer
UPDATE 3: SVR.JS versions from 3.9.6 to 3.10.1 had a bug with wrong mod loading order. The bug is related to mod access control vulnerability mitigation. The bug didn’t affect LTS versions. The bug is fixed in SVR.JS 3.10.2.