DockFlare v2.1.6 - Security Hardening & The Dawn of Animated Logos #208

ChrispyBacon-dev · 2025-08-24T15:46:45Z

ChrispyBacon-dev
Aug 24, 2025
Maintainer

This release bundles security enhancements from v2.1.6 with the feature and bug fixes from the previously unreleased v2.1.5.

The security vulnerabilities were identified by GitHub's automated Dependabot and code scanning services.

It's time to start thinking in tunnels. The old DockFlare logo has been retired and replaced with a brand new animated version in the web UI.

This release resolves several security issues to harden the application and its deployment pipeline.

Dependency Vulnerability: Patched an outdated brace-expansion npm package by updating it to version 2.0.2, addressing a CVE related to inefficient regex.
Path Injection: The /help/<path:page> route was hardened against path traversal attacks by implementing stricter path validation using os.path.abspath.
Open Redirect: The login redirect mechanism was secured by validating the next parameter, preventing redirects to external, malicious sites.
Information Exposure: Prevented the leakage of sensitive exception details and stack traces in API/JSON responses for the /cloudflare-ping, /debug, and /api/v2/debug-info endpoints.
Insecure CI/CD Workflow: To adhere to the principle of least privilege, permissions for the GitHub Actions workflow have been explicitly restricted to contents: read.

New - Help Documentation: A comprehensive help section has been added to the web UI, providing users with easy access to documentation and guides.
Fixed - Country Dropdown Menu: An issue where the country dropdown menu in the Access Group modal was limited to 50 entries has been resolved.
Fixed - UI Refinements: Various minor refinements were made to the web UI for improved usability and a more polished user experience.

As always, thank you for using DockFlare and for your feedback!

Cheers, Chris

This discussion was created from the release DockFlare v2.1.6 - Security Hardening & The Dawn of Animated Logos.