Countly Version 25.03.44

Security fixes:

• [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)
• [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries
• [app_users] Sanitize user.picture filename before deletion (path traversal)
• [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames
• [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist
• [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)
• [auth] Handle req.session.regenerate error in token login
• [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag
• [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation
• [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins
• [core] Add common.resolvePathInBase helper for safe path containment checks
• [crashes] Add error handlers to crash report streamed responses
• [dashboards] Constrain public screenshot route paths and stream error handling
• [dashboards] Identical response for missing/inaccessible dashboard (no enumeration)
• [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint
• [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491)
• [data] Escape regex metacharacters in sSearch parameters (ReDoS)
• [data] Return 404 (not 500) when event_groups lookup misses
• [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration)
• [dbviewer] Wrap non-admin scope as top-level $and so user-supplied $or/$nor cannot bypass per-tenant filter (cross-tenant data exfiltration)
• [errorlogs] Reject path-traversal in admin log file paths
• [event_groups] Whitelist updatable fields on create/update; scope reads by app_id
• [exports] Add stream error handlers to export download
• [exports] Authorize /o/export/download by task ownership / app_id
• [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id
• [notes] Enforce saveNote schema validation
• [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter)
• [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection)
• [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests
• [render] (--disable-web-security) removed from puppeteer
• [reports] Add stream error handlers
• [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532)
• [star-rating] Defense-in-depth on image upload/serve routes
• [system-utility] Harden streamed responses with error handlers
• [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin
• [users] /users/check/username now requires global admin (parity with email check)

Enterprise Features:

• [journey_engine] Maker checker approver
• [journey_engine] Engagement cooldown information added to journey builder and user profiles

Enterprise Fixes:

• [active_users] Fixed logic to prevent triggering active users calculation if it
• [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no bodyis already running.
• [drill] Add query hint based on default indexes
• [drill] Add contextual links in drill table for user IDs and crash groups
• [drill] Resolve device IDs to user profiles via server-side redirect endpoint
• [drill] Open crash group and user profile links in new tab
• [drill] Show user-friendly error message when saving a query fails
• [users] Fix MongoDB dot encoding (.) leaking into user profile UI filters, breakdown dropdown, and URLs

Countly Version 24.05.50

Security Fixes (backport of #7535 — bug-bounty-style hardening pass):

• [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation
• [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint
• [dashboards] Identical response for missing/inaccessible dashboard (no enumeration)
• [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration)
• [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests
• [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin
• [exports] Authorize /o/export/download by task ownership / app_id
• [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id
• [notes] Enforce saveNote schema validation
• [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist
• [event_groups] Whitelist updatable fields on create/update; scope reads by app_id
• [app_users] Sanitize user.picture filename before deletion (path traversal)
• [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames
• [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries
• [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection)
• [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration)
• [data] Escape regex metacharacters in sSearch parameters (ReDoS)
• [users] /users/check/username now requires global admin (parity with email check)
• [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins
• [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag
• [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC)
• [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter)
• [auth] Handle req.session.regenerate error in token login
• [data] Return 404 (not 500) when event_groups lookup misses

24.05-specific notes (some master fixes were not directly applicable):

• C-1 ($graphLookup) and M-11 (dbviewer non-admin filter scope): master uses a whiteListedAggregationStages mechanism (added by SER-2122) and a getBaseAppFilter per-collection app-id mechanism that 24.05 does not have. C-1 is implemented as a minimal targeted block; M-11 is not applicable here. A broader 24.05 dbviewer hardening (porting SER-2122 + filter scope + M-11) is left for a separate change.
• M-14 (--disable-web-security): the flag was never present in 24.05's puppeteer args, so the master fix is a no-op; only an explanatory comment was added.
• L-7 (drop wildcard CORS from reports preview/pdf): intentionally not backported — the wildcard is needed for puppeteer PDF rendering against data: URL documents (sub-resource fetches). Same decision as on master where the L-7 fix was reverted.

Fixes:

• [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532)
• [star-rating] Defense-in-depth on image upload/serve routes
• [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491)
• [errorlogs] Reject path-traversal in admin log file paths
• [system-utility] Harden streamed responses with error handlers
• [crashes] Add error handlers to crash report streamed responses
• [exports] Add stream error handlers to export download
• [reports] Add stream error handlers
• [dashboards] Constrain public screenshot route paths and stream error handling
• [core] Add common.resolvePathInBase helper for safe path containment checks

Countly Version 25.03.43

Enterprise Fixes:

• [flow] Optimize timeline period query

Dependencies:

• Bump follow-redirects from 1.15.11 to 1.16.0
• Bump get-random-values from 4.1.1 to 4.1.2
• Revert @vitejs/plugin-legacy from 8.0.1 to 7.2.1

Countly Version 24.05.49

Fixes:

• [alerts] Fixed alert jobs using system's timezone instead of application's
• [compliance-hub] Correctly merge user history on user merge
• [onboarding] Fix redirection to newsletter page
• [star-rating] Fix active status checkbox in drawer
• [star-rating] Fix consent fields in drawer

Enterprise Fixes:

• [retention_segments] Adding null check for breakdown filtering

Countly Version 25.03.42

Fixes:

• [alerts] Fixed alert jobs using system's timezone instead of application's
• [core] Fixed duplicate conditional in form field template

Enterprise Fixes:

• [data-manager] Fix notification message after editing user property
• [white-labeling] Update newsletter setting description

Countly Version 25.03.41

Fixes:

• [push] Fix: Cannot create a push notification when configuration _id is a string
• [star-rating] Fixed widget asset path with subdirectory

Enterprise Fixes:

• [journeys] Fix: prevent users entered stat to minus value for race conditions
• [surveys] Fixed widget asset path with subdirectory

Countly Version 25.03.40

Fixes:

• [hooks] Implement domain/ip address validation for hooks with http effect
• [reports] Hardcoded default secret for the e-mails converted to be randomly generated

Enterprise fixes:

• [drill] Hide redacted user properties in filters
• [oidc] Using sub as fallback as user identifier when there's no email

Dependencies:

• Bump countly-sdk-web from 26.1.0 to 26.1.1
• Bump ejs from 4.0.1 to 5.0.1
• Bump express-rate-limit from 8.3.0 to 8.3.1
• Bump fast-xml-parser from 5.4.1 to 5.5.7 in /plugins/push
• Bump flatted from 3.3.4 to 3.4.2
• Bump moment-timezone from 0.6.0 to 0.6.1 in /bin/scripts/timezones
• Bump nodemailer from 8.0.1 to 8.0.2
• Bump puppeteer from 24.38.0 to 24.39.0
• Bump sass from 1.97.3 to 1.98.0

Countly Version 25.03.39

Fixes:

• [core] Fixed replaceDatabaseString incorrectly replacing "countly" in the MongoDB username when it appears in the connection URL
• [dashboards] Unescape event segment values in meta
• [push] Using Android specific content for Huawei messages as well

Enterprise fixes:

• [data-manager] Fix validation approval button label
• [data-manager] Fix validation table column names

Countly Version 25.03.38

Fixes:

• [push] Fixed the property name by changing it from link to url for message buttons for Huawei messages
• [web] Use Client Hints

Countly Version 25.03.37

Fixes:

• [core] Update home page download notification text
• [data-manager] Add search and checkboxes in event selector when creating event group

Enterprise fixes:

• [funnels] Use lsid in same session funnel calculation
• [users] Export drill data on user export
• [users] Fix export query when there is profile group filter

Dependencies:

• Bump @faker-js/faker from 10.2.0 to 10.3.0 in /ui-tests
• Bump axios from 1.13.2 to 1.13.5
• Bump basic-ftp from 5.1.0 to 5.2.0
• Bump cypress from 15.10.0 to 15.11.0 in /ui-tests
• Bump fast-xml-parser and @google-cloud/storage in /plugins/push
• Bump geoip-lite from 1.4.10 to 2.0.0
• Bump minimatch from 9.0.5 to 9.0.9 in /api/utils/countly-request
• Bump minimatch from 9.0.5 to 9.0.9 in /plugins/hooks
• Bump nodemailer from 7.0.13 to 8.0.1
• Bump qs from 6.14.1 to 6.14.2
• Bump rollup from 4.56.0 to 4.59.0 in /plugins/journey_engine
• Bump swiper from 12.0.3 to 12.1.2 in /plugins/content
• Bump systeminformation from 5.30.5 to 5.31.1 in /ui-tests
• Bump tar-stream from 3.1.7 to 3.1.8 in /plugins/system-utility