Access-control hardening is needed on one of the backend HTTP endpoints. Details, reproduction, and the suggested fix are in the private draft security advisory (maintainer-only):
https://github.com/encryption4all/cryptify/security/advisories/GHSA-5rhx-xgvv-h78h
Scope: enforce authentication/ownership on the affected endpoint so it can no longer be queried anonymously for arbitrary inputs. A small secondary hardening item (constant-time token comparison) is noted in the advisory. Please keep specifics in the advisory thread, not in this public issue.
Access-control hardening is needed on one of the backend HTTP endpoints. Details, reproduction, and the suggested fix are in the private draft security advisory (maintainer-only):
https://github.com/encryption4all/cryptify/security/advisories/GHSA-5rhx-xgvv-h78h
Scope: enforce authentication/ownership on the affected endpoint so it can no longer be queried anonymously for arbitrary inputs. A small secondary hardening item (constant-time token comparison) is noted in the advisory. Please keep specifics in the advisory thread, not in this public issue.