Skip to content

fix: patch critical and high security vulnerabilities#7

Merged
fcsonline merged 3 commits intomainfrom
fix/security-critical-high
Apr 21, 2026
Merged

fix: patch critical and high security vulnerabilities#7
fcsonline merged 3 commits intomainfrom
fix/security-critical-high

Conversation

@fcsonline
Copy link
Copy Markdown
Owner

@fcsonline fcsonline commented Apr 21, 2026

Summary

  • CRITICAL: Remove hardcoded JWT secret fallback — require JWT_SECRET (>=32 chars) in cloud mode; warn in self-hosted dev mode
  • HIGH: Add authMiddleware to KMZ generate route (was completely unprotected)
  • HIGH: Add authMiddleware + user_id ownership check to KMZ download route (was an IDOR vulnerability — any user could download any mission by ID)
  • HIGH: Restrict CORS to CORS_ORIGIN env var when set (was open * to all origins)
  • Sanitize error responses in KMZ routes (stop leaking err.message to clients)

@fcsonline
fix: patch critical and high security vulnerabilities
e1011d4 
- Remove hardcoded JWT secret fallback; require JWT_SECRET (>=32 chars) in cloud mode, warn in self-hosted dev mode
- Add authMiddleware to KMZ generate route (was completely unprotected)
- Add authMiddleware + user_id ownership check to KMZ download route (was an IDOR vulnerability)
- Restrict CORS to CORS_ORIGIN env var when set (was open to all origins)
- Sanitize error responses in KMZ routes (stop leaking err.message to clients)
@fcsonline fcsonline added the skip-changelog Skip changelog requirement for this PR label Apr 21, 2026
@fcsonline fcsonline merged commit 4edec9b into main Apr 21, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip-changelog Skip changelog requirement for this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fcsonline