Project Karpacz is now Ferron. Note that we are still working on Ferron's website. Read the blog post

Ferron logo

Vulnerabilities

Some older versions of Ferron may contain security vulnerabilities. It’s recommended to keep Ferron up-to-date.

Fixed in Project Karpacz 0.6.0

  • An attacker could add double slashes to the request URL before “cgi-bin” to bypass the CGI handler and possibly leak the CGI scripts’ source code. (CWE-22; cgi module; introduced in Project Karpacz 0.5.0).

Fixed in Project Karpacz 0.3.0

  • An attacker could send a lot of concurrent requests (100 concurrent requests is enough) to make the server stop accepting HTTP requests. (CWE-410; rproxy module; introduced in Project Karpacz 0.2.0).