We’ve discovered a security vulnerability in Redwood’s dbAuth, specifically the dbAuth forgot password feature:
- only projects with the dbAuth “forgot password” feature are affected
- this vulnerability was introduced in v0.38.0
If this applies to you, please see the Security Advisory and upgrade as soon as possible to either the v3 or v2 patch. (There are workarounds detailed in the Security Advisory if you can’t upgrade.)
Feel free to comment here if you have any questions, or email us at security@redwoodjs.com if you’d like to be more discrete.