In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please email us at security@hangfire.io with details and we will respond ASAP. Security issues always take precedence over bug fixes and feature work.
Subscribe to receive security announcements by email as soon as possible. Very low traffic, unsubscribe at any time.
by
@odinserj
This security patch fixes a regression appeared in the previous version 1.7.25 that makes Dashboard UI available for remote requests in the default configuration, e.g. when no authentication filter specified. Please note that when custom authentication filter is defined as recommended in the documentation, everything works as expected, but upgrade is recommended in any case. Please read the GHSA-7rq6-7gv8-c37h security advisory for details.
Continue Reading →
by
@odinserj
On Apr 15, 2021 Codecov (code coverage tool) team reported Bash Uploader Security Update post where they describe their recent security breach, a yet another attack on supply chain. Since we have used this software for Hangfire in the past, and since it’s still used by one of our projects, Cronos, we began to understand what’s happened. And in short – we’ve used Codecov tool from PyPI (Python Package Index) that’s different from the Bash Uploader one and is unaffected by the recent breach, according to Codecov team.
Continue Reading →
by
@odinserj
This version contains security fixes to prevent possible XSS attacks as described in #1441. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version 1.6.26 instead.
Continue Reading →
by
@odinserj
This release contains fixes for security issues related to dashboard, so it is highly recommended to upgrade. Cross-Site Request Forgery protection was added by using existing libraries, but methods are different across application frameworks:
Continue Reading →
by
@odinserj
This release fixes a security issue that caused Redis password leaks to log targets during the Hangfire Server startup. The password was also shown in dashboard. If you are using password-protected Redis, it is highly recommended to update to this release, and change Redis password.
Continue Reading →