[Security] Responsible Disclosure - Security Vulnerability Found

[Astaruf]

Environment

Hi,

I have identified a security vulnerability in MagicMirror² that could affect users running the application in server mode (exposed to a network).

I'd like to follow responsible disclosure practices and share the details privately before any public release.

Could you please:

• Enable private reporting for security vulnerabilities on this repository, or
• Provide a security contact email?

I will keep the details private until a fix is available or 90 days have passed (whichever comes first), in line with standard responsible disclosure timelines.

Thank you.

Which start option are you using?

node --run start

Are you using PM2?

No

Module

None

Have you tried disabling other modules?

• Yes
• No

Have you searched if someone else has already reported the issue on the forum or in the issues?

• Yes

What did you do?

Found a security vulnerability

What did you expect to happen?

Enable https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability on this repository.
OR
Possibility to share vulnerability details privately.

What actually happened?

n/a

Additional comments

No response

Participation

• I am willing to submit a pull request for this change.

[sdetweil]

Send to me. Same userid at gmail

[Astaruf]

Thanks, I've sent you an email with the details.

[Astaruf]

Coordinated disclosure in progress, details have been shared privately with the maintainers for security reasons. A fix is planned for an upcoming release. Full details will be disclosed after the patch is released.

[sdetweil]

I posted your info to internal chat just now. Was traveling all day