GHSA-2gw9-c2r2-f5qf

Impact

Any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance.

Patches

The vulnerability has been patched in the following releases:

• v3.0.11 (backport release)
• v3.1.2 (latest stable release)

Users should upgrade to v3.0.11 or later (for the 3.0 branch) or v3.1.2 or later.

Workarounds

If upgrading is not immediately possible, the following mitigations can reduce risk:

• Restrict access to trusted users only (avoid granting accounts to untrusted parties)
• Run the instance only when needed; avoid leaving it continuously exposed
• Disable or restrict access to the /api/profile endpoint if feasible
• Monitor for suspicious privilege changes or unexpected administrative actions

Note: These are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.

Credits

Neko thanks @blitzkrieg-patch for responsibly disclosing this vulnerability and reaching out directly. This contribution helped strengthen the project, and the whole community benefits from it.