-
Mo
chevron_right
Movim 0.31.4 is out, stay safe and upgrade!
Timothée Jaussoin • pubsub.movim.eu / Movim • 3 days ago • 4 minutes
A few weeks after the major 0.34 release, it's time for a small patch release with minor improvements and important security fixes.
What's changed?
The previous version introduced a brand new conference call experience. This release addresses a few small issues related to calls.
In 1-to-1 calls, the call invitation can now be cancelled properly. The microphone level indicator has also been fixed during active calls.
Redesigned notification handling
Movim previously used a global state to determine whether a notification should be sent via the Web Push system or the standard WebSocket handler.
However, you can be connected to your Movim session from multiple devices, each with a different connectivity state. Movim is now aware of this.
This means that if you are currently connected on one of your devices, notifications will be delivered through your WebSocket connection. If Movim cannot detect your device as connected, it will attempt to push the notification via Web Push ensuring you receive notifications even when Movim is not open on your phone or browser.
One small caveat: some users may not receive all Web Push notifications on their phones. This is most commonly caused by aggressive background process termination by Android for battery optimisation purposes.
What's new?
We received several reports over the past few weeks regarding potential security issues in the project.
All of them were reviewed and resolved. Some code that did not present a specific security problem was also refactored to prevent potential issues in the future.
SSRF Protection
When Movim is running, certain URLs shared by users are queried server-side:
- When Movim receives an avatar or banner hosted at an HTTP URL
- When it processes a shared URL, for example when a user sends a link to an article to a contact
- When a file is uploaded
These scenarios could trigger SSRF exploits:
Server-side request forgery (SSRF) is a type of attack that allows an attacker to send requests from a vulnerable server to internal or external systems, potentially accessing sensitive information. This vulnerability can lead to serious security breaches, such as the Capital One incident, which exposed millions of personal records. (Wikipedia)

For all three of these cases, Movim now automatically blocks any requests pointing to a local IP address or services that may be hosted on the same machine or cloud environment.
You can still allow specific local domains to be queried by using the new "Whitelisted Domains for SSRF Protection" setting in the Administration panel.

Additional security fixes and improvements
During this security review, we also identified several smaller areas for improvement.
Cookie format validation 🍪
Movim manages its sessions using cookies represented by a 32-character random string.
The length of 32 characters was validated, but it was still possible to force Movim into accepting other types of strings, causing crashes. Cookies are now properly validated both on login and when they are renewed.
Properly protecting the picture resolver
When you send or receive a picture URL while chatting with a contact, Movim downloads the image and provides a small compressed thumbnail, while also protecting your IP address by acting as a proxy.
This "picture resolver" system is intended to be accessible to authenticated users only. However, we discovered that an incorrectly written piece of code was also allowing unauthenticated users to access it.
This has now been fixed.
Refactoring of complex SQL queries
Some features require complex database queries to return specific data (such as "the contacts you chat with most frequently").
Several of these SQL queries have been rewritten to prevent potential SQL injection vulnerabilities and to improve readability.
XSS in Space invitation
The node parameter in Space message invitations was not properly escaped, leaving it vulnerable to XSS attacks by a malicious actor.
This has been fixed as well.
A note on security reports
We always welcome feedback and reports regarding possible or confirmed security issues in Movim, and we do our best to address them as quickly as possible.
That said, the recent security reports we received were, in large majority, AI-generated and submitted by users who appeared more interested in finding issues than in engaging with us to help improve the project.
- All but one of the users who submitted reports never responded to our follow-up questions about details or possible solutions.
- Being AI-generated, all of the reports were excessively long and filled with false claims, non-reproducible proof-of-concept examples, or entirely fabricated sections (what some might call "slop"). This required us to invest many extra hours trying to determine whether any of the generated claims were hiding a genuine issue.
Movim, like all free and open source software, is community-driven. Human interaction is at its heart, and we would love for it to stay that way.
Using LLMs to help identify security flaws is perfectly fine, but please read what you submit and make sure you actually understand it before sending it our way.
That's all, folks! Thanks for reading, and don't forget to update as soon as possible. 😸✌️