Version 1.7.6

Released on 2020-01-25.

This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.

Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS), in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.

This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true) in the ServerConfig, setting RATPACK_DEVELOPMENT=true in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false) when packaged as a Jar.

Users should verify that they are not running Ratpack with development mode activated in production environments.

We would like to thank Jonathan Leitschuh for reporting this vulnerability.

Please see the security advisory for this issue for more information.

Pull Requests (0)

Resolved Issues (0)