We have discovered more security vulnerabilites, this time in SVR.JS itself. We have patched SVR.JS, but we recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.2 and newer
- SVR.JS 3.4.30 LTS and newer
Unpatched versions didn’t properly sanitize URLs for SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE: We have discovered and mitigated even more security vulnerabilites in SVR.JS itself. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.3 and newer
- SVR.JS 3.4.31 LTS and newer
Unpatched versions didn’t properly enforce access control for non-proxy SVR.JS mods and server-side JavaScript, leaving them vulnerable. You can view our security advisory.
UPDATE 2: We have discovered and mitigated security vulnerabilites in SVR.JS itself even further. We recommend to upgrade your SVR.JS web server to patched versions immediately.
Patched versions:
- SVR.JS 3.9.6 and newer
- SVR.JS 3.4.34 LTS and newer
UPDATE 3: SVR.JS versions from 3.9.6 to 3.10.1 had a bug with wrong mod loading order. The bug is related to mod access control vulnerability mitigation. The bug didn’t affect LTS versions. The bug is fixed in SVR.JS 3.10.2.