Category
Changes: Security
All changelog entries related to Security.

Critical Security Patch: JWT Signing Algorithm Vulnerability

SecurityBug FixesSecurityJwtBug Fix

A critical security vulnerability was discovered in our JWT signing implementation. This patch fixes the issue where certain edge cases could allow token forgery under specific conditions.

Security impact:

  • Severity: High
  • CVSS Score: 8.3
  • Affected versions: 2.0.0 - 2.4.3

Fix details:

  • Updated RSA key validation logic
  • Enhanced signature verification
  • Improved error handling in token parsing

All users running affected versions must update immediately to ensure secure authentication.

Read more

WebAuthn and Passkeys Support Added

New FeaturesSecurityWebauthnPasswordlessSecurity

We're thrilled to announce support for WebAuthn and Passkeys, enabling true passwordless authentication for your users.

Features included:

  • Platform authenticator support (Face ID, Touch ID, Windows Hello)
  • Cross-platform authenticator support (YubiKey, security keys)
  • Passkeys synchronization across devices
  • Fallback authentication methods

Implementation details:

  • FIDO2 compliant
  • Attestation format validation
  • Challenge generation and verification
  • User-friendly registration flow

This update represents a major step forward in authentication security and user experience.

Read more

Bug Fix: Rate Limiting Bypass Vulnerability

SecurityBug FixesSecurityBug FixApi

We've identified and fixed a security vulnerability in our rate limiting implementation that could allow bypass under certain conditions.

Issue details:

  • Rate limits could be bypassed using custom X-Forwarded-For headers
  • Affected endpoints: /auth/login, /auth/register, /auth/password-reset
  • Impact: Potential brute force attacks

Fix summary:

  • Enhanced header validation
  • Improved IP extraction logic
  • Added additional safeguards for proxy detection

Update to version 2.4.4 or later to ensure proper rate limiting protection.

Read more

Multi-Factor Authentication Enhancements

SecurityUpdatesMfaSecurityFeatures

Our MFA implementation has been significantly enhanced with new verification methods and improved user experience.

New features:

  • Authenticator app support (TOTP)
  • SMS verification with retry logic
  • Email-based verification codes
  • Backup codes generation
  • Grace period configuration

Technical improvements:

  • TOTP drift tolerance adjustment
  • SMS delivery reliability improvements
  • Enhanced recovery flow
  • MFA policy customization

These enhancements provide more flexibility in implementing multi-factor authentication while maintaining robust security.

Read more