Releases: cisagov/thorium
1.6.1
1.6.0
Whats changed in Thorium!
[1.6.0] - 2026-3-4
🚀 Features
- (UI) Added burstable resource and version within create and edit images - (35feb63)
- (agent) Added support for passing in the result-files path as an arg - (9742d55)
- (client) Added from keys/CtlConf for sync/python clients - (180ca9d)
- (client) Added files listing and count to Python client - (cb86afe)
- (operator) Allows the operator to add nodes to Thorium - (3ba0a28)
- (operator) Added support for using MCP in multi API pod clusters - (73ee1ff)
- (thoradm) Added entities, associations, and notifications to backup - (ea262e6)
- (ui) Tag Select Component - (4aa9923)
🐛 Bug Fixes
- (api) Fixed issue where s3 objects were not removed when samples were deleted - (f17cd2d)
- (api) Lowered tree cursor expiration to 3 days - (3adb405)
- (ci/cd) Fixed issue with building the Thorium docker image - (d334a4d)
- (scaler) Fixed issue where some images would not be scheduled - (c583140)
- (ui) Fixed admin role check during initial page load - (b7fc1a5)
- (ui) Removing partial entry duplicate in SelectInputArray - (f614bd8)
- (ui) Fixed missing vendors from device entities dropdown - (a9566fb)
1.5.1
1.5.0
Whats changed in Thorium!
[1.5.0] - 2025-12-26
🚀 Features
- (agent) Added support for passing samples to jobs by file name - (c013018)
- (api) Allows for burstable resources - (1da2218)
- (api) Improved performance of tree generation/growing by 5x - (722b1a4)
- (api) Added support for Reaction cache - (9630315)
- (api) Improved performance of count by ~3x - (923e1ec)
- (client) Fixed sync client and added basic Python client - (4302aa8)
- (thorctl) [breaking] Improved results upload command - (f5925de)
- (thorctl) Added --no-limit option for reactions commands - (75c036a)
- (thorctl) Added results only option and result file filters - (cd22f05)
- (thorctl) Added AI chat feature to thorctl - (21d9aba)
- (ui) Added entity support - (cfba42b)
- (ui) Added circle and concentric graph layouts - (d43b2f5)
🐛 Bug Fixes
- (api) Fixed integration tests and incorrect client identify route - (f168615)
- (api) Fixed parsing error when tag key begins with number - (408d2b5)
- (api) [breaking] Fixed issue where trees would be missing branches - (6681242)
- (scaler) Fixed issue where the k8s scaler would not use config options - (5e897d5)
⚙️ Miscellaneous Tasks
1.4.0
Whats changed in Thorium!
[1.4.0] - 2025-12-08
🚀 Features
- (agent) Added support for configuring the agent to linger for a bit - (1229e1f)
- (api) Added support for adding graphics to entities - (c5e723e)
- (api) Add initial MCP support to Thorium - (ac2f957)
- (api) Added beta support for counting files and their tags - (577bb3b)
- (megathor) Added stand alone Ansible k8s deployment playbook - (a925237)
- (operator) [breaking] Added support for setting host aliases in Thorium components - (b2b00bd)
- (scaler) Added support for disabling proxy settings for the k8s scaler - (8f4ac6b)
- (thoradm) Added network policies to backup - (59e3650)
- (thorctl) Added group override option for toolbox import - (8bf0243)
- (thorctl) Added support for generating AI summaries of samples - (3c11d56)
- (thorctl) Added support for updating tools with toolbox - (8950fbb)
- (thorctl) Improved files upload handling - (e2302e4)
- (thorctl) Added quiet mode to thorctl - (df65113)
- (thorctl) Added option to export image/pipeline configs only - (e2b09c2)
- (tools) Added byte-frequency tool - (a5c2871)
- (ui) Added stats sidebar nav button for users - (10eecee)
- (feature) Added autovolatility3 and cve-bin-tool-sbom - (c0024f4)
🐛 Bug Fixes
- (agent) Fixed issue where the agent incorrectly required results - (83f3110)
- (api) Fixed issue where the api could skip items when listing by tags - (78d7107)
- (api) Fixed issue where listing with tags was missing data - (1c00742)
- (cart-rs) Fixed incorrect header format - (2a6fe4e)
- (client) Fixed missing params in network policy update requests - (01aa2a0)
- (event-handler) Fixed issue where event handler spammed the API for events - (e255768)
- (operator) Fixed issue where operator would sometimes see api errors - (7d36773)
- (scaler) [breaking] Fixed issue where the scaler would only do fair share scheduling - (02d1caf)
- (search-streamer) Added document truncation - (d5555ef)
- (thorctl) Added validation of pipeline image orders on toolbox import - (3e18166)
- (thorctl) Fixed issue where thorctl reaction list limit was ignored - (daf6b35)
- (thorctl) Fixed issue where descriptions overran onto multiples lines - (a07f8dc)
- (tools) Patched Exiftool and Autovolatility path errors - (50c91e1)
- (fix) Added optional operator registry auth - (acc45b8)
- (fix) Update reaction status after deletion - (d59f01d)
⚙️ Miscellaneous Tasks
- Updated cargo files to allow for crates.io publish - (2149ad6)
1.3.1
1.3.0 - Thorium Toolbox Support
Whats changed in Thorium!
[1.3.0] - 2025-10-17
Thorctl toolbox support allows for the quick import over 40 images and 20
pipelines into your Thorium instance. Some examples of images you can import
are:
- binwalk
- capa
- clamav
- cwe-checker
- email-parser
- floss
- foremost
- ssdeep
- quantumstrand
- xortool
- zeek-dump
This also resolves some issues with running Thorium in AWS surrounding bucket creation.
🚀 Features
- (operator) Added support for skipping automatic bucket creation - (451e60c)
- (thorctl) Added toolbox import functionality - (c837004)
🐛 Bug Fixes
- (api) Fixed issue where the api may panic when sending emails - (67ad9fc)
- (api) Readded non zero split fix - (89101a6)
- (api) Fixed issue that required transparent rewrites for the UI - (ada19c6)
- (event) Fixed issue where the event handler was needlessly spammy - (5b503ba)
⚙️ Miscellaneous Tasks
- (readme) Added toolbox info to the FAQ - (fb63c83)
1.1.2
Fixed several bugs in Thorium 🐛 Bug Fixes - *(operator)* Fixed issue where the config could not be made into a CRD - *(scaler)* Scalers now only requests details on clusters they care about - *(agent)* Fixed issue where the agent was not injecting kwargs correctly - *(api)* Fixed issue where the API was incorrectly rejecting result paths Change Details fix(agent): Fixed issue where the agent was not injecting kwargs correctly This was causing the agent to add a list of values after each kwargs instead of repeating the kwarg for each value. This means Thorium will now use --kwarg <value> --kwarg <value> instead of --kwarg <value> <value>. fix(api): Fixed issue where the API was incorrectly rejecting result paths This was due to an incorrect check for '..' in file paths. fix(operator): Fixed issue where the config could not be made into a CRD This was caused by an enum having different types for each branch. The downside of this fix is that our config does allow someone to configure certificate validation settings while also disabling certificate validation. That could lead to some confusing scenarios where you think validation is enabled but its not. fix(scaler): Scalers now only requests details on clusters they care about This helps resolves issues where the scaler tries to get info on clusters that it cannot and will not schedule on. Closes #31
1.1.1
Fix(api): Fixed several vulnerabilities in Thorium
None of these issues allow for RCE or privilege escalation.
Result File Path Normalization
The API was not validating that uploaded result file paths are not
absolute paths and do not contain any '..' components. This was not
exploitable due to the fact that:
- Some s3 servers (Minio and CEPH were tested) do not allow .. in paths
- The agent panics when downloading files with an absolute path
- Thorctl nests the absolute path in its relative path and returns an
error Regardless this has been resolved, and Thorium will now validate
and reject any absolute paths or paths where any component contains only
'.'s.
LDAP Injection
Thorium was not escaping user controlled strings that it sent to LDAP.
This would allow attackers to perform LDAP injection if they can add
metagroups to groups. In order to perform this attack, an attacker
would already have the permissions to modify group permissions at will.
Thorium now properly escapes user controlled strings in ldap.
Spam Verification Emails For Unverified Users
Thorium was not limiting how often verification emails could be resent
to unverified users in systems that have email verification configured.
This means that if an attacker knew a user's username and that user had
not yet verified their email, they could spam them with emails. Only the
verification email would sent this does not allow an attacker to send
arbitrary emails. Thorium now allows admins to set a rate limit value
that currently defaults to only allowing an email to be resent every 10
minutes.
Token Not Rotating When Resetting Passwords
Thorium was generating a new token but not saving it when updating a
users password. This meant that if a user was updating their password
due to a password or token being leaked, Thorium did not properly remove
all prior access. This is only relevant to LDAP enabled Thorium clusters.
Thorium now saves the new token on password updates.
Disabled TLS Verification To Elasticsearch
Thorium was not allowing users to configure how they want to validate
the certificate used by elastic search and was defaulting to not
verifying it. This option is now configurable.
Divide By Zero When Getting Streams
If a user set a split of 0 when getting streams, that request would panic
due to a divide by zero error. This has been resolved by requiring a
NonZeroU64 instead of a u64.
Thanks to OpenAI Security Research for bringing these issues to our attention.