rss feed Security Announcements

Reporting

In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please email us at security@hangfire.io with details and we will respond ASAP. Security issues always take precedence over bug fixes and feature work.

Newsletter

Subscribe to receive security announcements by email as soon as possible. Very low traffic, unsubscribe at any time.

Hangfire 1.7.3 and 1.6.26

This version contains security fixes to prevent possible XSS attacks as described in #1441. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version 1.6.26 instead.

Continue Reading →

Hangfire 1.6.20

This release contains fixes for security issues related to dashboard, so it is highly recommended to upgrade. Cross-Site Request Forgery protection was added by using existing libraries, but methods are different across application frameworks:

Continue Reading →

Hangfire.Pro.Redis 1.4.2

This release fixes a security issue that caused Redis password leaks to log targets during the Hangfire Server startup. The password was also shown in dashboard. If you are using password-protected Redis, it is highly recommended to update to this release, and change Redis password.

Continue Reading →