SECURITY: [Homarr] Hijacked Dependency #6115
CrazyWolf13
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
Forwarding an important note from Homarr Team.
an upstream dependency has been hijacked and malicious binaries have been injected. It affects Windows only and is executed in development mode only. Upgrade as soon as possible to 1.30.0. The target of the binary is RCE. Most systems will be unaffected, it mainly targeted developers. We are still looking into further steps, possibly deleting 1.29.x from the registry.
See GHSA-r44g-gjcw-rvc6
Further information at https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only
1.30.0 contains other changes, we are still working on this...
Update: We have deleted 1.29.0 from the registry. The hash is still available.
Source: https://discord.com/channels/972958686051962910/974370615752531988/1396787392345542686
According to their team, only windows Users in developer enviroments are affected, so most likely noone on community-scripts Linux was affected, but we thought it's still important to let our userbase know too.
Beta Was this translation helpful? Give feedback.
All reactions