LycheeOrg · ildyria · Jun 17, 2025 · Jun 17, 2025 · Jun 17, 2025 · Jun 17, 2025
diff --git a/docs/releases.md b/docs/releases.md
@@ -30,6 +30,45 @@
 
 ## Version 6
 
+### v6.6.10
+
+Released on Jun 18, 2025
+
+#### Security release: MAJOR Vulnerability fix (9.8)
+
+Lychee version between 6.6.6 and 6.6.9 (included) are vulnerable to a path traversal attack.
+This leads the attacker being able to read any files on the server, including `/etc/passwd` and `.env` files...
+
+#### What to do?
+
+We strongly recommend that you consider your installation compromised and rotate your secret key using `php artisan key:generate`.
+If you are using docker you can do this by running the following command:  
+```bash
+docker exec -it <lychee_app> php artisan key:generate
+```
+Or modify the value of `APP_KEY` in your `.env` file. This will also invalidate all existing sessions.
+
+#### The vulnerability
+
+This vulnerability miss-uses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`.  
-This vulnerability miss-uses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`.  
+This vulnerability misuses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`.  
-This vulnerability miss-uses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`.  
+This vulnerability misuses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`.  
+We wrongly assumed that `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` was protected against path traversal attacks which lead to this vulnerability.
+
+When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictuous path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again.
-When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictuous path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again.
+When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with path values that are out of scope. Ironically, by enabling either of the functionality, the endpoint becomes secure again.
-When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictuous path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again.
+When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with path values that are out of scope. Ironically, by enabling either of the functionality, the endpoint becomes secure again.
+
+#### The fix
+
+We applied defense in depth:
+
+1. when neither functionality are enabled, we direclty return a 401/403 error on any call to `/image/{path}`.
-1. when neither functionality are enabled, we direclty return a 401/403 error on any call to `/image/{path}`.
+1. when neither functionality is enabled, we directly return a 401/403 error on any call to `/image/{path}`.
-1. when neither functionality are enabled, we direclty return a 401/403 error on any call to `/image/{path}`.
+1. when neither functionality is enabled, we directly return a 401/403 error on any call to `/image/{path}`.
+2. when either of the functionality are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker.
-2. when either of the functionality are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker.
+2. when either of the functionalities are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker.
-2. when either of the functionality are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker.
+2. when either of the functionalities are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker.
+
+#### Credits
+
+We would really like to thank [@MrRauL124](https://github.com/MrRauL124) for reporting this vulnerability.
+
+* `fixes` #3469 : Fix path traversal attack + bump version.
+
+
 ### v6.6.9
 
 Released on Jun 17, 2025

diff --git a/src/components/widgets/Announcement.astro b/src/components/widgets/Announcement.astro
@@ -9,9 +9,13 @@
     class="text-slate-200 dark:bg-sky-700 bg-sky-600 dark:text-slate-200 font-semibold px-1 py-0.5 text-xs mr-0.5 rtl:mr-0 rtl:ml-0.5 inline-block"
     >NEW</span
   >
+  <!-- <a
+    href="https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.10"
+    class="text-slate-200 hover:underline dark:text-slate-200 font-medium">Lychee 6.6.10 is now available! »</a
+  > -->
-  <!-- <a
-    href="https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.10"
-    class="text-slate-200 hover:underline dark:text-slate-200 font-medium">Lychee 6.6.10 is now available! »</a
-  > -->
-  <!-- <a
-    href="https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.10"
-    class="text-slate-200 hover:underline dark:text-slate-200 font-medium">Lychee 6.6.10 is now available! »</a
-  > -->
   <a
-    href="https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.9"
-    class="text-slate-200 hover:underline dark:text-slate-200 font-medium">Lychee 6.6.9 is now available! »</a
+    href="https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.10"
+    class="text-slate-200 hover:underline dark:text-slate-200 font-medium"><span class="text-red-500 font-bold">CVE 9.8 in Lychee 6.6.9</span>, update Lychee 6.6.10 as soon as possible! »</a
   >
   <a
     target="_blank"