CTFd 3.8.2

CTFd 3.8.2 has been released with a security fix for a vulnerability where a malicious admin user could import a crafted zip file to write files arbitrarily depending on the configuration of CTFd.

Depending on the underlying deployment this arbitrary write could allow for the execution of arbitrary code.

Specifically the filesystem uploader is affected as well as the provided docker-compose.yml.

While the CTFd Docker image itself runs as an unprivileged user, CTFd's provided docker-compose.yml file switches to the root user. This has been removed and the Docker image's provided unprivileged user is now the default.

For historical context, the usage of root was added many years ago to work around a file upload error that is no longer relevant and we regret the oversight.

Hosted CTFd instances were not affected by this vulnerability.

We recommend all CTFd users update their instance to v3.8.2.

v3.8.2 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.