At Penpot, the security of your creative work and data is our top priority. We recently received a report regarding a security vulnerability affecting our font-processing component and have since deployed a complete fix.
Here is a summary of what happened, how we responded, and what this means for you.
The Vulnerability
A security researcher identified a Path Traversal / Local File Inclusion vulnerability within the Penpot RPC (Remote Procedure Call) commands used for managing custom fonts.
In short, a specifically crafted request could have allowed an attacker to trick the server into reading internal system files (such as environment variables) and saving them as font assets. While this did not grant direct access to user databases, it potentially exposed internal server configuration details.
Our Response
Once the issue was confirmed, our engineering team immediately:
-
Patched the code to ensure all file paths are strictly validated and that no internal system files can be accessed via font uploads.
-
Verified the fix across all environments, including design.penpot.app.
-
Rotated all server-side secret keys as a precautionary measure to ensure any potentially exposed credentials are no longer valid.
-
Released a new docker images with the fix.
What This Means for You
Because we rotated our internal security keys, you may have noticed a few temporary disruptions. These are proactive security measures and do not indicate that your personal account was breached.
The following items were invalidated during the reset:
-
Active Sessions: You may have been automatically logged out and asked to sign in again.
-
Invitation Links: Any pending team or project invitations sent before the fix will no longer work. You will need to resend these invites.
-
Shared Viewer Links: Existing “Share Links” have been invalidated. You will need to generate new links to share your designs.
Important Note: Your designs, files, and personal data remain secure. This vulnerability did not allow for the modification or theft of user-generated content.
For On-Premise Users
For those running self-hosted instances of Penpot, we have released a patch to address this vulnerability. We strongly recommend all administrators update their deployments immediately.
-
Fixed Version: 2.13.2
-
Availability: The new Docker images are already available on Dockerhub.
-
Action Required: Pull the latest image and restart your containers. As a best practice, we also recommend rotating your PENPOT_SECRET_KEY and other credentials in your configuration file after updating.
