Flarum 1.8.16 released - security patches

IanM

Flarum `1.8.16` Released 🔒

An out-of-band security release for the Flarum 1.x series. This release fixes multiple security vulnerabilities and also bundles a handful of other backported fixes. All 1.x forum operators should upgrade promptly.

🛡️ Security fixes

This release addresses several vulnerabilities. Full technical detail is in each advisory; high-level summaries below.

Path traversal in LESS parser via theme color settings

An incomplete fix for CVE-2023-27577. The original patch restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables — most notably theme_primary_color and theme_secondary_color. Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a payload that reads arbitrary local files or triggers outbound HTTP requests (SSRF) via @import (inline). Because the compiled output is written to the publicly served forum.css, the attacker can retrieve whatever was read simply by fetching that file.

Requires administrator access, but represents a privilege-escalation path from "forum admin" to "host-level file read / SSRF" — which admins are not meant to have.

Reported by William (Liam) Snow IV.

GHSA-xjvc-pw2r-6878

Account takeover via expired password reset token

POST /reset accepted any token present in the database without checking expiry, while GET /reset/{token} correctly enforced the 24-hour window. An attacker with a stale token (for example from a leaked email or database backup) could use it indefinitely to take over the account.

GHSA-649p-3mfg-mx5r

Hardening: invalidate active sessions on password change

Active access tokens (session, remember-me, developer tokens) were not cleared when a user's password changed. Sessions established before a password reset — or during an account takeover — remained valid indefinitely. All access tokens are now cleared when a password is changed.

#4546

Hardening: purge stale password reset tokens

Each password reset request generated a new token without removing prior ones, leaving multiple valid tokens accumulating indefinitely. All existing tokens for a user are now purged before a new one is issued.

#4547

🚀 Flarum 2.0 RC 1 is coming next week

If you haven't started evaluating Flarum 2.0 yet, now really is the time. Flarum 2.0 RC 1 launches next week, and the stable release follows shortly after.

As a reminder, most active development on the 1.x series has stopped. This release is a security-driven exception. Going forward:

❌ No new features or non-security improvements will be backported to 1.x
⚠️ Security vulnerabilities will be addressed where possible, but the aging dependency stack (Laravel 8, well into EOL) limits what's fixable
✅ All long-term investment is on Flarum 2.0

The official 1.x EOL date will be confirmed soon — we strongly encourage all 1.x forum admins to start planning their upgrade now.

📣 If you're an extension developer, the time to ship your 2.0 update is now.

✨ Also in this release

Alongside the security fixes, we've bundled a few small improvements that were already queued:

Abandoned extensions sync — a new weekly scheduled task that fetches the community-maintained flarum/abandoned-extensions list, filters it to your installed packages, and surfaces the results in the admin panel. Optionally emails admins when new abandonments are detected. Includes a manual POST /api/extensions/abandoned/sync trigger and a CLI command with a --notify flag. (#4559)

New forum-widget extension category — a new category for dashboard/forum widget extensions, ordered between theme and language. (#4542)

[Tags] Correct meta description on tags homepage — when the homepage was set to "Tags", the meta description was hardcoded to the "All Tags" translation string and ignored the forum description configured in admin settings. The forum description is now used, falling back to the translation only when none is configured. (#4557)

📦 Versions released

flarum/core — 1.8.16
flarum/tags — 1.8.8

🚀 How to update

composer update
php flarum migrate
php flarum cache:clear
php flarum assets:publish

Back up your database before updating, and test on staging first if possible.

📋 Full changelog

Core (`flarum/core`)

Security

Path traversal in LESS parser via theme color settings, incomplete fix for CVE-2023-27577 by @IanM (GHSA-xjvc-pw2r-6878)
Account takeover via expired password reset token by @IanM (GHSA-649p-3mfg-mx5r)
Invalidate active sessions when password is changed by @IanM #4546
Delete stale password tokens when requesting a new reset by @IanM #4547

Added

Sync abandoned extensions list from flarum/abandoned-extensions by @IanM #4559
Add forum-widget extension category by @IanM #4542

Tags (`flarum/tags`)

Fixed

Use forum description for meta description on tags homepage by @IanM #4557

Capybara

Thanks for the update!

IanM [Tags] Correct meta description on tags homepage

It seems the same issue also exists in version 2.x 👀

IanM

Capybara yes, already fixed on 2.x and included in rc.1 🙂

navindra

IanM Yikes! Thanks for the security fixes here.

CyberGene

Thanks for the update.

Not exactly related to this release, however when I upgrade, I perform a complete upgrade of all extensions too, and my forum got broken this time: it was something in the widgets core, wrong package names, pointing to the old one, don't remember exactly had to remove manually all the old widget-related extensions and replace them with the new FoF ones... People should be careful if they upgrade fully like me and use any of the afrux widgets.

KBExit

CyberGene Afrux Widgets may have had a dependency limit on them for older Flarum versions? I don't know exactly, but this is a common reason why some extensions can't carry over during updates.

Raffpio

thanks for the update. 💕

Tutuzaiganma

The forum has undergone two major migrations, basically importing the entire site from backups. Currently, the situation is: the backend has granted these two permissions without restrictions, but regular users logging in do not see the delete and rename buttons after posting; they can only click follow. Even more ridiculously, newly created tag categories are not subject to backend permission control and will default to unlimited permissions, even if I have already set the permissions to none.

In my testing environment, I gradually disabled all plugins, and only after I turned off the tag plugin did the posts under that tag display the rename and delete buttons.