We release patches for security vulnerabilities. Currently supported versions:

We recommend always using the latest version of Durable Objects Manager.

We take the security of Durable Objects Manager seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via:

1. GitHub Security Advisories (Preferred)

   • Go to the Security tab
   • Click "Report a vulnerability"
   • Fill out the form with details

2. Direct Contact

   • Create a private issue with the security label
   • We will respond within 48 hours

Please include as much information as possible:

• Type of vulnerability
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability
• Your suggestions for fixing it (if any)

• Initial Response: Within 48 hours
• Status Update: Within 5 business days
• Fix Timeline: Depends on severity and complexity

1. Validation: We'll confirm the vulnerability
2. Fix Development: We'll work on a patch
3. Testing: Thorough testing of the fix
4. Disclosure:
   • We'll coordinate disclosure with you
   • Security advisory published
   • Release with fix deployed
5. Credit: We'll credit you in the security advisory (if desired)

When deploying Durable Objects Manager:

• Always use Cloudflare Access (Zero Trust) in production
• Configure appropriate identity providers (GitHub OAuth, etc.)
• Set restrictive access policies
• Never disable authentication checks
• Ensure WebSocket connections are properly authenticated

• Protect API tokens: Never commit tokens to version control
• Use Cloudflare Workers Secrets for sensitive data
• Set proper CORS policies
• Implement rate limiting if needed
• Validate all inputs, especially Object IDs and Namespaces

• Grant minimal permissions needed
• Use separate namespaces for different environments (dev/prod)
• Monitor object creation and deletion events
• Audit storage usage logs

• Use .env files for local development only
• Never expose Worker secrets
• Keep dependencies up to date
• Review Cloudflare Access logs regularly

# Set all secrets (never hardcode)
npx wrangler secret put ACCOUNT_ID
npx wrangler secret put API_KEY
npx wrangler secret put TEAM_DOMAIN
npx wrangler secret put POLICY_AUD

• Use HTTPS only (enforced by Cloudflare Workers)
• Configure appropriate CSP headers
• Enable Cloudflare's security features
• Monitor for suspicious WebSocket activity

• Mock data mode bypasses authentication for localhost
• Never deploy with VITE_WORKER_API=http://localhost:8787
• Ensure environment is properly configured for production

• Worker requires Durable Objects read/write permission
• Avoid using Global API Key (use scoped API tokens)
• Review token access logs in Cloudflare dashboard

• Be cautious with sensitive data in DO storage
• Use Cloudflare Access policies to restrict users
• Consider additional encryption for sensitive fields
• Review operation history for potential data leaks

Durable Objects Manager implements several security features:

• Cloudflare Access Integration: Enterprise-grade authentication
• JWT Validation: Every API request and WebSocket connection validated
• Scoped Permissions: Minimal required access
• Namespace Isolation: Strict logical separation of data
• Audit Logging: Operation history tracking
• Secure Defaults: Production-ready configuration
• Input Validation: ID and payload verification
• Rate Limiting: Via Cloudflare Workers platform

This project follows:

• OWASP Top 10 security guidelines
• Cloudflare security best practices
• Zero Trust security model
• Principle of least privilege

Status: ✅ Mitigated (Proactive Fix)

Severity: High

Description: The glob npm package (versions 10.2.0-10.4.x and 11.0.0-11.0.3) contained a command injection vulnerability in its CLI's -c/--cmd option. Malicious filenames with shell metacharacters could execute arbitrary commands when processed.

Impact on DO Manager:

• DO Manager does not directly use the glob CLI
• No current dependencies use vulnerable glob versions
• Risk was theoretical/future-facing

Mitigation:

• Added "glob": "^11.1.0" to package.json overrides section
• Forces all dependencies (current and future) to use patched version 11.1.0
• Provides defense-in-depth protection against transitive dependencies

References:

• GitHub Advisory GHSA-xj72-wvfv-8985
• CVE-2025-64756

Verification:

# Verify no vulnerable glob versions in dependency tree
npm ls glob --all

Security updates are released as soon as possible after validation. Subscribe to:

• GitHub Security Advisories
• GitHub Releases (security releases are tagged)
• GitHub Watch notifications

If you have questions about security that aren't covered here:

• Open a Discussion (for general security questions)
• Check Cloudflare's security documentation
• Review the CONTRIBUTING.md file

We appreciate the security research community and will acknowledge researchers who responsibly disclose vulnerabilities (with permission).

Security is a shared responsibility. Thank you for helping keep Durable Objects Manager secure!