search

sj26 / mailcatcher

Catches mail and serves it through a dream.
http://mailcatcher.me
MIT License
6.5k stars 583 forks source link

Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision #565

Open santiagodoldan opened 3 weeks ago

santiagodoldan commented 3 weeks ago

Looks like a Sinatra vulnerability was reported here https://github.com/advisories/GHSA-hxx2-7vcw-mqr3.

gravitystorm commented 1 week ago

A new version of sinatra, 4.1.0, has now been released and that version fixes this CVE.

https://github.com/sinatra/sinatra/commit/73f3291d114b5b211e067263eeb9c0e197fe8500

However, mailcatcher depends on "sinatra", "~> 3.2". It would be great if the dependency on sinatra is relaxed, to pick up the sinatra 4.x series too.