v0.2.15 - Security Release - Erugo Release Notes

Erugo

A powerful, self-hosted file-sharing platform built with PHP and Laravel with a Vue.js frontend. It offers secure, customizable file-transfer capabilities through an elegant user interface, giving you complete control over your data while providing a seamless experience for both senders and recipients.

Security Release

This release fixes critical path traversal vulnerabilities that could allow authenticated users to write files to arbitrary locations on the server, leading to Remote Code Execution (RCE).

Security Fixes

UploadsController: Sanitize filePaths input and validate resolved paths stay within share directory
TusdHooksController: Sanitize bundle manifest paths and validate extraction paths
EmailTemplatesController: Validate template IDs to prevent path traversal

Security Advisory

Advisory: GHSA-336w-hgpq-6369
Severity: Critical
Affected versions: <=0.2.14

Upgrade Instructions

All users running Erugo v0.2.14 or earlier should upgrade immediately.

Credits

Thanks to Leon Phan of AWARE7 GmbH for responsibly disclosing this vulnerability.

Erugo

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

haze

v0.2.15 - Security Release