[PR #6257] [MERGED] Calibre-Web: Remove from Frontend during Critical Security Issues #6500

New Issue

Closed

opened 2025-11-20 07:10:52 -05:00 by saavagebueno · 0 comments

saavagebueno commented 2025-11-20 07:10:52 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/community-scripts/ProxmoxVE/pull/6257
Author: @MickLesk
Created: 7/26/2025
Status: ✅ Merged
Merged: 7/26/2025
Merged by: @michelroegl-brunner

Base: main ← Head: calibre

---

📝 Commits (1)

• ae55ec0 Calibre-Web: Remove from Frontend during Critical Security Issues

📊 Changes

2 files changed (+0 additions, -107 deletions)

View changed files

➖ frontend/public/json/calibre-web.json (+0 -40)
➖ install/calibre-web-install.sh (+0 -67)

📄 Description

✍️ Description

remove Calibre Web from Frontend and Backup Install File

"2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received no response. Today they have published the details of two vulnerabilities in the application, you can read about them here and here.

Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script.

Some info about the vulns:

• the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat.
• the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this.

As far as I can tell, these vulns have only been patched in Autocaliweb - a fork of Calibre-Web and Calibre-Web Automated."

🔗 Related PR / Issue

Link: #6249

✅ Prerequisites (X in brackets)

• Self-review completed – Code follows project standards.
• Tested thoroughly – Changes work as expected.
• No security risks – No hardcoded secrets, unnecessary privilege escalations, or permission issues.

---

🛠️ Type of Change (X in brackets)

• 🐞 Bug fix – Resolves an issue without breaking functionality.
• ✨ New feature – Adds new, non-breaking functionality.
• 💥 Breaking change – Alters existing functionality in a way that may require updates.
• 🆕 New script – A fully functional and tested script or script set.
• 🌍 Website update – Changes to website-related JSON files or metadata.
• 🔧 Refactoring / Code Cleanup – Improves readability or maintainability without changing functionality.
• 📝 Documentation update – Changes to README, AppName.md, CONTRIBUTING.md, or other docs.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/community-scripts/ProxmoxVE/pull/6257 **Author:** [@MickLesk](https://github.com/MickLesk) **Created:** 7/26/2025 **Status:** ✅ Merged **Merged:** 7/26/2025 **Merged by:** [@michelroegl-brunner](https://github.com/michelroegl-brunner) **Base:** `main` ← **Head:** `calibre` --- ### 📝 Commits (1) - [`ae55ec0`](https://github.com/community-scripts/ProxmoxVE/commit/ae55ec0d850bab54e9470bbc649cc1c733c39df4) Calibre-Web: Remove from Frontend during Critical Security Issues ### 📊 Changes **2 files changed** (+0 additions, -107 deletions) <details> <summary>View changed files</summary> ➖ `frontend/public/json/calibre-web.json` (+0 -40) ➖ `install/calibre-web-install.sh` (+0 -67) </details> ### 📄 Description ## ✍️ Description remove Calibre Web from Frontend and Backup Install File "2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received [no response](https://github.com/janeczku/calibre-web/issues/3427). Today they have published the details of two vulnerabilities in the application, you can read about them [here](https://fluidattacks.com/advisories/megadeth) and [here](https://fluidattacks.com/advisories/kino). Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script. Some info about the vulns: - the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat. - the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this. As far as I can tell, these vulns have only been patched in [Autocaliweb](https://github.com/gelbphoenix/autocaliweb) - a fork of Calibre-Web and Calibre-Web Automated." ## 🔗 Related PR / Issue Link: #6249 ## ✅ Prerequisites (**X** in brackets) - [x] **Self-review completed** – Code follows project standards. - [x] **Tested thoroughly** – Changes work as expected. - [x] **No security risks** – No hardcoded secrets, unnecessary privilege escalations, or permission issues. --- ## 🛠️ Type of Change (**X** in brackets) - [ ] 🐞 **Bug fix** – Resolves an issue without breaking functionality. - [ ] ✨ **New feature** – Adds new, non-breaking functionality. - [x] 💥 **Breaking change** – Alters existing functionality in a way that may require updates. - [ ] 🆕 **New script** – A fully functional and tested script or script set. - [ ] 🌍 **Website update** – Changes to website-related JSON files or metadata. - [ ] 🔧 **Refactoring / Code Cleanup** – Improves readability or maintainability without changing functionality. - [ ] 📝 **Documentation update** – Changes to `README`, `AppName.md`, `CONTRIBUTING.md`, or other docs. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

saavagebueno added the pull-request label 2025-11-20 07:10:52 -05:00

saavagebueno closed this issue 2025-11-20 07:10:53 -05:00

saavagebueno referenced this issue 2025-11-20 07:12:01 -05:00

[PR #6500] [MERGED] [Github Action] Update CHANGELOG.md #6719

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

github-action-update-changelog

pr-update-app-files

add-script-bambuddy-1774853250

MickLesk-patch-1

fix/immich-maintenance-mode-redis-error

fix/npm-unmask-openresty-on-migration

fix/ollama-intel-gpg-error-handling

github-action-archive-changelog

add-script-yourls-1774732133

add-script-matter-server-1774638379

fix/dispatcharr-pg-port

cron_update_lxc

chore/immich-v2.6.3

add-script-geopulse-1774548387

cdn_improvements

add-script-birdnet-1774535320

fix/tools-func-exit-codes

fix/immich-update-db-hostname

update/frigate-0.17.1

fix/use-absolute-path-for-install

fix/pin-npm-version

shell_safe_fixes

remove_booklore

chore/update-url-community-scripts

komodov2

refactor/turnkey-modernize

add-script-nextexplorer-1774344421

add-script-homebrew-1774342032

fix/shell-security-hardening-v2

improve/build-func-performance-cleanup

fix/build-dns-prefix

fix/anytype-mongodb-wait

fix/frigate-cpu-model-path

copilot/fix-installation-failure-isponsorblocktv

fix/reactive-resume-add-git

copilot/scanopy-fix-apt-configuration-error

add-script-isponsorblocktv-1774009652

add-script-alpine-wakapi-1774008954

fix/coder-code-server-existing-config-and-reachability

add-script-teleport-1773928044

CrazyWolf13-patch-wealthfolio-1

refactor/tools-func-qol

fix/stirling-pdf-jdk-reinstall

fix/pinned-version-wording

MickLesk-patch-10

fix/reactive-resume-v5013

fix/tracearr-update-version-oom

copilot/fix-hdd-space-for-owncast

tremor021-patch-6

pocketbase_bot

disp_fix

fix/tdarr-binary-check-curl-retry

MickLesk-patch-9

refactor/podman-quadlets

alpine-ntfy

refactor/jellyfin

CrazyWolf13-patch-11

feature/autousermod_hwaccell

add-script-split-pro-1773677692

fix/frigate-openvino-fallback

fix/paperless-ngx-default-ram

fix/plex-restart-after-update

fix/gluetun-openvpn-env

MickLesk-patch-8

termix_add_guacd

MickLesk-patch-7

fix/tududi-nodejs-in-update

fix/sparkyfitness-npm-peer-deps

docs/website-metadata-workflow

fix-pbs_microcode

remove_jsons

michelroegl-brunner-patch-4

add-script-test-1773325265

cleanup_workflows

feat/remove-frontend

automated/update-github-versions

feat/mode-generated

fix/n8n-build-essential

fix/sparkyfitness-shared-deps

fix/rocm-path-escaping

fix/storage-validation-cross-node

fix/frigate-nvidia-version-regex

arm64-build-support

readme

michelroegl-brunner-patch-3

fix/coder-code-server-backup

copilot/fix-immich-update-dependency-issue

rust

fix/linkwarden-update-playwright

fix/powerdns-sqlite-permissions

fix/duplicate-nameserver-searchdomain

CrazyWolf13-patch-7

feat/ollama-rocm-support

fix/seerr-migration-update-script

preflight_tests

adgu_fix

2026-03-30

2026-03-29

2026-03-28

2026-03-27

2026-03-26

2026-03-25

2026-03-24

2026-03-23

2026-03-22

2026-03-21

2026-03-20

2026-03-19

2026-03-18

2026-03-17

2026-03-16

2026-03-15

2026-03-14

2026-03-13

2026-03-12

2026-03-11

2026-03-10

2026-03-09

2026-03-08

2026-03-07

2026-03-06

2026-03-05

2026-03-04

2026-03-03

2026-03-02

2026-03-01

2026-02-28

2026-02-27

2026-02-26

2026-02-25

2026-02-24

2026-02-23

2026-02-22

2026-02-21

2026-02-20

2026-02-19

2026-02-18

2026-02-17

2026-02-16

2026-02-15

2026-02-14

2026-02-13

2026-02-12

2026-02-11

2026-02-10

2026-02-09

2026-02-08

2026-02-07

2026-02-06

2026-02-05

2026-02-04

2026-02-03

2026-02-02

2026-02-01

2026-01-31

2026-01-30

2026-01-29

2026-01-28

2026-01-27

2026-01-26

2026-01-25

2026-01-24

2026-01-23

2026-01-22

2026-01-21

2026-01-20

2026-01-19

2026-01-18

2026-01-17

2026-01-16

2026-01-15

2026-01-14

2026-01-13

2026-01-12

2026-01-11

2026-01-10

2026-01-09

2026-01-08

2026-01-07

2026-01-06

2026-01-05

2026-01-04

2026-01-03

2026-01-02

2026-01-01

2025-12-31

2025-12-30

2025-12-29

2025-12-28

2025-12-27

2025-12-26

2025-12-25

2025-12-24

2025-12-23

2025-12-22

2025-12-21

2025-12-20

2025-12-19

2025-12-18

2025-12-17

2025-12-16

2025-12-15

2025-12-14

2025-12-13

2025-12-12

2025-12-11

2025-12-10

2025-12-09

2025-12-08

2025-12-07

2025-12-06

2025-12-05

2025-12-04

2025-12-03

2025-12-02

2025-12-01

2025-11-30

2025-11-29

2025-11-28

2025-11-27

2025-11-26

2025-11-25

2025-11-24

2025-11-23

2025-11-22

2025-11-21

2025-11-20

2025-11-19

2025-11-18

2025-11-17

2025-11-16

2025-11-15

2025-11-14

2025-11-13

2025-11-12

2025-11-11

2025-11-10

2025-11-09

2025-11-08

2025-11-07

2025-11-06

2025-11-05

2025-11-04

2025-11-03

2025-11-02

2025-11-01

2025-10-31

2025-10-30

2025-10-29

2025-10-28

2025-10-27

2025-10-26

2025-10-25

2025-10-24

2025-10-23

2025-10-22

2025-10-21

2025-10-20

2025-10-19

2025-10-18

2025-10-17

2025-10-16

2025-10-15

2025-10-14

2025-10-13

2025-10-12

2025-10-11

2025-10-10

2025-10-09

2025-10-08

2025-10-07

2025-10-06

2025-10-05

2025-10-04

2025-10-03

2025-10-02

2025-10-01

2025-09-30

2025-09-29

2025-09-28

2025-09-27

2025-09-26

2025-09-25

2025-09-24

2025-09-23

2025-09-22

2025-09-21

2025-09-20

2025-09-19

2025-09-18

2025-09-17

2025-09-16

2025-09-15

2025-09-14

2025-09-13

2025-09-12

2025-09-11

2025-09-10

2025-09-09

2025-09-08

2025-09-07

2025-09-06

2025-09-05

2025-09-04

2025-09-03

2025-09-02

2025-09-01

2025-08-31

2025-08-30

2025-08-29

2025-08-28

2025-08-27

2025-08-26

2025-08-25

2025-08-24

2025-08-23

2025-08-22

2025-08-21

2025-08-20

2025-08-19

2025-08-18

2025-08-17

2025-08-16

2025-08-15

2025-08-14

2025-08-13

2025-08-12

2025-08-11

2025-08-10

2025-08-09

2025-08-08

2025-08-07

2025-08-06

2025-08-05

2025-08-04

2025-08-03

2025-08-02

2025-08-01

2025-07-31

2025-07-30

2025-07-29

2025-07-28

2025-07-27

2025-07-26

2025-07-25

2025-07-24

2025-07-23

2025-07-22

2025-07-21

2025-07-20

2025-07-19

2025-07-18

2025-07-17

2025-07-16

2025-07-15

2025-07-14

2025-07-11

2025-07-10

2025-07-09

2025-07-08

2025-07-07

2025-07-06

2025-07-05

2025-07-04

2025-07-03

2025-07-02

2025-07-01

2025-06-30

2025-06-29

2025-06-28

2025-06-27

2025-06-26

2025-06-25

2025-06-24

2025-06-23

2025-06-22

2025-06-21

2025-06-20

2025-06-19

2025-06-18

2025-06-17

2025-06-16

2025-06-15

2025-06-14

2025-06-13

2025-06-12

2025-06-11

2025-06-10

2025-06-09

2025-06-08

2025-06-07

2025-06-06

2025-06-05

2025-06-04

2025-06-03

2025-06-02

2025-06-01

2025-05-31

2025-05-30

2025-05-29

2025-05-28

2025-05-27

2025-05-26

2025-05-25

2025-05-24

2025-05-23

2025-05-22

2025-05-21

2025-05-20

2025-05-19

2025-05-18

2025-05-17

2025-05-16

2025-05-15

2025-05-14

2025-05-13

2025-05-12

2025-05-11

2025-05-10

2025-05-09

2025-05-08

2025-05-07

2025-05-06

2025-05-05

2025-05-04

2025-05-03

2025-05-02

2025-05-01

2025-04-30

2025-04-29

2025-04-28

2025-04-27

2025-04-26

2025-04-25

2025-04-24

2025-04-23

2025-04-22

2025-04-20

2025-04-21

2025-04-19

2025-04-18

2025-04-17

2025-04-15

2025-04-16

2025-04-14

2025-04-13

2025-04-12

2025-04-11

2025-04-10

2025-04-09

2025-04-08

2025-04-07

2025-04-06

2025-04-05

2025-04-04

2025-04-03

2025-04-02

2025-04-01

2025-03-31

2025-03-30

2025-03-29

2025-03-28

2025-03-27

2025-03-26

2025-03-25

2025-03-24

2025-03-23

2025-03-22

2025-03-21

2025-03-20

2025-03-19

2025-03-18

2025-03-17

2025-03-16

2025-03-15

2025-03-14

2025-03-13

2025-03-12

2025-03-11

2025-03-10

2025-03-09

2025-03-08

2025-03-07

2025-03-06

2025-03-05

2025-03-04

2025-03-03

2025-03-02

2025-03-01

2025-02-28

2025-02-27

2025-02-26

2025-02-25

2025-02-24

2025-02-23

2025-02-21

2025-02-20

2025-02-19

2025-02-18

2025-02-17

2025-02-16

2025-02-15

2025-02-14

2025-02-13

2025-02-12

2025-02-11

2025-02-10

2025-02-09

2025-02-08

2025-02-07

2025-02-06

2025-02-05

2025-02-04

2025-02-03

2025-02-02

2025-02-01

2025-01-31

2025-01-30

2025-01-29

2025-01-28

2025-01-27

2025-01-26

2025-01-24

2025-01-23

2025-01-22

2025-01-21

2025-01-20

2025-01-19

2025-01-18

2025-01-17

2025-01-16

2025-01-15

2025-01-14

2025-01-13

2025-01-11

2025-01-10

2025-01-09

2025-01-08

2025-01-07

2025-01-06

2025-01-05

2025-01-04

2025-01-03

2025-01-02

2025-01-01

2024-12-31

2024-12-30

2024-12-29

2024-12-28

2024-12-27

2024-12-26

2024-12-25

2024-12-23

2024-12-21

2024-12-20

2024-12-19

2024-12-18

2024-12-17

2024-12-16

2024-12-13

2024-12-12

2024-12-09

2024-12-08

2024-12-07

2024-12-06

2024-12-05

2024-12-04

2024-12-03

2024-12-02

2024-11-30

2024-11-29

2024-11-28

2024-11-27

2024-11-26

2024-11-25

2024-11-24

2024-11-23

Labels

Clear labels

🛑 Failure to comply with the guidelines

breaking change

bug

bug

bugfix

deferred

delete script

dependencies

enhancement

external

feature

github

help wanted

Implemented in VED waiting push to Main

in project pipeline

invalid

investigation

json

maintenance

new script

new script

nice to have

not a script issue

not planned

organization

pull-request

Mirrored from GitHub Pull Request

question

refactor

rename script

security

update script

website

wontdo

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/ProxmoxVE#6500