Sign in

webp 0day

  • This topic has 1 reply, 2 voices, and was last updated 2 months, 1 week ago by .
Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #10637
    Avatar photoRootZombie

    Hey guys,

    Have you seen this : ?

    Possible that you need to check for electron’s update (and maybe other lib w/ some img management ?) to provide an update of Publii embarking the security fixes once they’re published.


    Avatar photoTomasz Dziuda


    Thank you for mentioning this

    Tomorrow we want to publish files of Publii v.0.43 and fortunately as I see two dependencies will solve this issue (Electron and sharp) – it will be upgraded to the newest possible versions.

    Fortunately due Publii nature this bug has limited impact, because firstly user has to use WebP image from untrusted source. I do not see a way to evaluate it remotely as e.g. in 1password where some other user from the shared vault could change a vault image to an affected one and then attack other users of the vault.

    Do you appreciate the support you've received today? If so, consider donating to the Publii team by clicking here; we'll be sure to use your donation to make Publii even better!

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.