Hollo security updates: 0.7.16 and 0.8.5

[dahlia]

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.