Releases

Bugfixes

• Fix data loss when 5+ users edit a document concurrently, caused by the OT client discarding operations during revision gap recovery (#6342)
• Add defensive null checks to hex2rgb to prevent crashes from non-hex color values

Maintenance

• Dependency updates

Contributors

• Dex Devlon

Bugfixes

• Random colors for user’s cursors and selections are now always in hex format to avoid conversion errors
• Correctly close realtime connections if they disconnect during connection creation
• manage_users CLI does not silently drop errors

Security fixes

This release contains two medium severity security fixes:

• CVE-2026-25642 reports a bug where security headers for upload files were not set correctly.
• GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files.

Thanks to @HUSEYNKHANLI and @drkim-dev for reporting!

Maintenance

• Dependency updates
• Enhancements in the documentation at docs.hedgedoc.org

Contributors

• xenein (#6322)

This release is just a fix for the docker container. It does not contain any changes to HedgeDoc itself.

Bugfixes

• Fix the bundled healthcheck in the docker container

Security fixes

This release contains two low severity security fixes:

• GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
• CVE-2025-66629 reports a possible CSRF vulnerability when using certain social login providers because the state parameter is not used and checked.

Enhancements

• Add enableUploads (CMD_ENABLE_UPLOADS) config option to restrict uploads to registered users, all users or none to completely disable uploads.
• Allow links to protocols such as xmpp, webcal or geo
• Switch from deprecated shortid to nanoid module, with 10 character long aliases in “public” links
• Ensure compatibility with Node 24
• Protect user history from accidental or malicious deletion by adding a CSRF-like token
• Many enhancements in the documentation at docs.hedgedoc.org

Bugfixes

• Ignore the healthcheck endpoint in the “too busy” limiter
• Send the referrer origin for YouTube embeddings due to their requirement
• Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
• Secure iframes with credentialless and sandbox attributes
• Fix regexes for [time=...], [name=...] and [color=...] shortcodes in lists
• Use state parameter for OAuth2 flows and PKCE where applicable

Node compatibility

• Support for Node 24 was verified. The docker image now uses Node 24 as its base image.

Contributors

• Nora Matthias Schiffer (#6096)
• 4censord (#6102)
• Zachery Faria (#6105)
• pl7ofit (#6106)
• Lars Kiesow (#6107)
• Kim Brose (#6114)
• Achilleas Pipinellis (#6119)
• Andreas Boesen (#6148, #6149)
• Thary (#6155)

Security fixes

This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.

See CVE-2025-32391 for more details

Enhancements

• Add config options CMD_SAML_WANT_ASSERTIONS_SIGNED and CMD_SAML_WANT_AUTHN_RESPONSE_SIGNED for SAML auth, since some instances didn’t comply with the new defaults of @node-saml/passport-saml

PLEASE CHECK THIS IF YOU USE SAML AUTHENTICATION: This release had to set default values for the username and email address attribute mapping for SAML authentication for security reasons. If you use SAML authentication, please make sure to update your SAML configuration accordingly. See: https://docs.hedgedoc.org/configuration/#saml-login CMD_SAML_ATTRIBUTE_USERNAME or CMD_SAML_ATTRIBUTE_EMAIL

Bugfixes

• Check if a valid user id is present when using OAuth2
• Abort SAML login if NameID is undefined instead of logging in with a user named “undefined” (Thanks @Haanifee)
• Set default values for username and email attribute mapping in SAML configuration

This release fixes a security issue where brute-forcing local email/passwords is possible because of missing rate-limits. We recommend upgrading as soon as possible, if you use local logins.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6w39-x2c6-6mpf

This release changes the default configuration of the HSTS preload attribute to false for compliance with the HSTS preload list requirements. This shouldn’t impact any instance. However, if you intend to use HSTS preloading you should enable the config setting hsts.preload to true or set environment variable CMD_HSTS_PRELOAD=true.

This release deprecates support for Node 18. As the LTS support for 18 runs out in April 2025, the next release will only work with Node 20 and upwards. Consider this your early warning to upgrade any running instances to at least Node 20.

Enhancements

• Add fixed rate-limiting to the login and register endpoints
• Add configurable rate-limiting to the new notes endpoint

Bugfixes

• Fix a crash when cannot read user profile in OAuth (#5850 by @lautaroalvarez)
• Fix CSP Header for mermaid embedded images (#5887 by @domrim)
• Change default of HSTS preload to false for compliance with the HSTS preload list requirements (#5913 by @SvizelPritula)

Contributors

• Dominik Rimpf
• Lautaro Alvarez

This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use this database.

Please note: This release dropped support for Node 16, which is end-of-life since September 2023. You now need at least Node 18 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

⚠️ Node 22.7.0 has a regression that breaks UTF-8 encoding. Do not use that version to run HedgeDoc. ⚠️

Security Fixes

• GHSA-pjf2-269h-cx7p: MySQL & free URL mode allows to hide existing notes

Features

• Add disableNoteCreation config option for read-only instances

Enhancements

• Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
• Compatibility with Node.js 22 is now checked in CI

Bugfixes

• Fix a crash when having numeric-only values in opengraph frontmatter
• Fix unnecessary session creation on healthcheck endpoint
• Fix invalid metadata being sent for minio uploads
• Fix screen readers announcing headings twice
• Fix a crash when receiving unexpected OAuth profile data
• Fix some cases of HedgeDoc not redirecting to the previous page after login
• Fix heading anchor links referencing an invalid URL
• Our meta-marked package is now published to NPM, fixing some installation issues

Contributors

• Axel (translator)
• Eduard (translator)
• Jordi Mallach (translator)
• José M. (translator)
• Meskó Balázs (translator)
• TheInfamousToTo (translator)
• Tobias (translator)
• Úr Balázs (translator)

HedgeDoc has a new slogan! See our announcement for the details.

This release fixes a security issue. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2023-38487: API allows to hide existing notes

Enhancements

• Docker secrets can now be used to provide OAuth2 client secrets (#4196 by @DennisGaida)
• Document how to set up Azure Active Directory authentication (#4413 by @pramitsingh0)
• Add YAML metadata to documentation page (#4371 by @JunedKhan101)

Bugfixes

• Fix non-existing notes being created in some cases, instead of returning a 404 error

Contributors

• Jordi Mallach (translator)
• sujade (translator)

Please note: This release dropped support for Node 14, which is end-of-life since May 2023. You now need at least Node 16 to run HedgeDoc. We recommend to use the latest LTS release of Node.js.

This release switches to Yarn 3 for dependency management, as Yarn 1 has bugs preventing us from upgrading some dependencies. If you install HedgeDoc manually, run bin/setup again for instructions. Other installation methods should not require special actions.

Enhancements

• Extend boolean environment variable parsing with other positive answers and case insensitivity
• Allow setting of documentMaxLength via CMD_DOCUMENT_MAX_LENGTH environment variable (contributed by @jmallach)
• Add dedicated healthcheck endpoint at /_health that is less resource intensive than /status
• Compatibility with Node.js 18 and later
• Add support for the arm64 architecture in the docker image
• Add a config option to disable the /status and /metrics endpoints

Bugfixes

• Fix that permission errors can break existing connections to a note, causing inconsistent note content and changes not being saved (contributed by @julianrother)
• Fix speaker notes not showing up in the presentation view
• Fix issues with upgrading some dependencies by upgrading to Yarn 3
• Fix macOS compatibility of bin/setup script

Contributors

• UwYFmLpoKtYn (translator)
• Pub (translator)
• SnowCode (translator)

Bugfixes

• Fix note titles with special characters producing invalid file names in user export zip file
• Fix night-mode toggle not working when page is loaded with night-mode enabled

Contributors

• Francesco (translator)
• Gabriel Santiago Macedo (translator)

Bugfixes

• Fix migrations deleting all notes when SQLite is used

🚨 This release has a bug that leads to data-loss when using SQLite. We advise users of SQLite databases to skip this release and use 1.9.6. 🚨

Enhancements

• Add dark mode toggle in mobile view
• Replace embedding shortcode regexes with more specific ones to safeguard against XSS attacks

Bugfixes

• Fix a crash when using LDAP authentication with custom search attributes (thanks to @aboettger-tuhh for reporting)
• Fix a crash caused by a long note history when the MySQL database is used
• Fix breaks option not being respected in the publish-view
• Fix missing syntax highlighting in the markdown editor

Contributors

• Bateausurleau (translator)
• Goncalo (translator)
• Ívarr Vinter (translator)
• Oein0219 (translator)
• Pol Dellaiera

Please note: This release dropped support for Node 12, which is end-of-life since April 2022. You now need at least Node 14.13.1 or Node 16 to run HedgeDoc. We don’t support more recent versions of Node.

Enhancements

• Remove unexpected shell call during migrations
• More S3 config options: upload folder & public ACL (thanks to @lautaroalvarez)

Contributors

• Al_x (translator)
• Emmanuel Courreges (translator)
• paranic (translator)
• Quentin PAGÈS (translator)

This release fixes a security issue. We recommend upgrading as soon as possible.

⚠️ Warning: If you deploy HedgeDoc and MariaDB with docker-compose using a checkout of our container repo, you will need to manually convert the character set of the database to utf8mb4 when updating. See the corresponding PR for more information.

Security Fixes

• CVE-2022-24837: Enumerable upload file names

Enhancements

• Libravatar avatars render as ident-icons when no avatar image was uploaded to Libravatar or Gravatar
• Add database connection error message to log output
• Allow SAML authentication provider to be named
• Suppress error message when git binary is not found

Bugfixes

• Fix error that Libravatar user avatars were not shown when using OAuth2 login
• Fix bin/manage_users not accepting numeric passwords (thanks to @carr0t2 for reporting)
• Fix visibility of modals for screen readers
• Fix GitLab snippet export (thanks to @semjongeist for reporting)
• Fix missing inline authorship colors (thanks to @EBendinelli for reporting)

Contributors

• ced (translator)
• deluxghost (translator)
• Dennis Gaida
• Michael Hauer (translator)
• Moritz Schlarb
• Mostafa Ahangarha (translator)
• Sandro
• Sergio Varela (translator)
• Tạ Quang Khôi (translator)
• Tiago Triques (translator)
• tmpod (translator)
• Uchiha Kakashi

Bugfixes

• Fix error in the session handler when requesting /metrics or /status

This release increases the minimum required Node versions to 12.20.0, 14.13.1 and 16. In general, only the latest releases of Node 12, 14 and 16 are officially supported by us, older minor versions can be dropped at any time. We recommend you run HedgeDoc with the latest release of Node 16.

Bugfixes

• Add workaround for incorrect CSP handling in Safari
• Fix crash when an unexpected response from the GitLab API is encountered
• Fix crash when using hungarian language

Contributors

• AIAC (translator)
• Danilo Bargen
• Diem Duong (translator)
• Gergely Polonkai (translator)
• Nikola (translator)
• ProttoyChakraborty
• Sergio (translator)
• Tiago Triques (translator)
• Vincent Dusanek (translator)
• Александр (translator)

Security Fixes

• CVE-2021-39175: XSS vector in slide mode speaker-view
• This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config. See the docs for details

Features

• HedgeDoc now automatically retries connecting to the database up to 30 times on startup
• This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed. We strongly recommend disabling this option to reduce the risk of XSS attacks
• This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don’t use the feature, to reduce the attack surface of XSS attacks
• Add additional environment variables to configure the database. This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

• Further improvements to the frontend build process, reducing the initial bundle size by 60%
• Improve the error handling of the filesystem upload method
• Improve the error message of failing migrations

Bugfixes

• Fix crash when trying to read the current Git commit on startup
• Fix endless loop on shutdown when HedgeDoc can’t connect to the database
• Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
• Fix session cookies being created on calls to /metrics and /status
• Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
• Remove CDN support, fixing inconsistencies in library versions delivered to the client
• Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
• Fix links between slides not working
• Fix Vimeo integration using a deprecated API

Miscellaneous

• Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it

Contributors

• Bogdan Cuza (translator)
• Heimen Stoffels (translator)
• igg17 (translator)
• Klorophatu (translator)
• Martin (translator)
• Matija (translator)
• Matthieu Devillers (translator)
• Mindaugas (translator)
• Quentin Pagès (translator)

This release fixes two security issues. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes
• Fix a potential XSS-vector in the handling of usernames and profile pictures

Enhancements

• Speed up yarn install in production mode (as performed by bin/setup) by marking frontend-only dependencies as dev-dependencies. This also reduces the size of the docker container
• Speed up the frontend-build by using esbuild instead of terser to minify JavaScript
• Improve behavior of the ‘Quote’, ‘List’, ‘Unordered List’ and ‘Check List’ buttons in the editor to automatically apply to the complete first and last line of the selection

Bugfixes

• Correct the 1.8.0 release notes to state that CVE-2021-29475 has been fixed since HedgeDoc 1.5.0.
• Fix crash on startup when useSSL or csp.upgradeInsecureRequests is enabled (thanks to @mdegat01 for reporting)
• Automatically enable protocolUseSSL when useSSL is also enabled
• Fix the ‘Quote’, ‘List’, ‘Unordered List’ and ‘Check List’ buttons in the editor to not duplicate content when only parts of a line are selected (thanks to @AnomalRoil for reporting)
• Fix click handler for numbered task lists (thanks to @xoriade for reporting)

This release fixes multiple security issues. We recommend upgrading as soon as possible.

Please note: This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running the latest LTS release.

Security Fixes

• CVE-2021-29474: Relative path traversal Attack on note creation
• CVE-2021-21306: Underscore ReDoS in the marked library
  This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting!

We also published an advisory for CVE-2021-29475: PDF export allows arbitrary file reads,
which has already been fixed since HedgeDoc 1.5.0.

Features

• Database migrations are now automatically applied on application startup
  The separate .sequelizerc configuration file is no longer necessary and can be safely deleted
• A Prometheus-endpoint is now available at /metrics, exposing the same stats as /status in addition to various Node.js performance figures
• Add a config option to require authentication in FreeURL mode (#755 by @nidico)

Enhancements

• Removed dependency on external imgur library
• HTML language tags are now set up in a way that stops Google Translate from translating note contents while editing
• Removed yahoo.com from the default content security policy
• New translations for Bulgarian, Persian, Galician, Hebrew, Hungarian, Occitan and Brazilian Portuguese
  Updated translations for Arabic, English, Esperanto, Spanish, Hindi, Japanese, Korean, Polish, Portuguese, Turkish and Traditional Chinese Thanks to all translators!
• Various dependency updates

Bugfixes

• Improve readability of diagrams & embeddings in night-mode
• Use the default template for new notes in FreeURL mode
• Fix frontend-crash in slide-mode if no slideOptions are present in the frontmatter
• Return 404 on the /download route for non-existent notes in FreeURL mode
• Properly clean up the UNIX socket on application exit
• Don’t overwrite existing notes on POST-requests to /new/<alias> in FreeURL mode

Contributors

• Amit Upadhyay (translator)
• Atef Ben Ali (translator)
• Edi Feschiyan (translator)
• Gabriel Santiago Macedo (translator)
• Longyklee (translator)
• Nika. zhenya (translator)
• Nicolas Dietrich
• Nis (translator)
• rogerio-ar-costa (translator)
• sanami (translator)
• Tom Dereszynski (translator)
• 상규 (translator)
• uıʞǝʇuɐϽ (translator)
• UwYFmLpoKtYn (translator)

This release fixes a security issue. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2021-21259: Stored XSS in slide mode
  An attacker can inject arbitrary JavaScript into a HedgeDoc note.

Bugfixes

• Ensure the last line of the markdown editor is not covered by the status bar (thanks to @mhdrone for reporting!)

This release fixes two security issues. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2020-26286: Arbitrary file upload
  An unauthenticated attacker can upload arbitrary files to the upload storage backend.
• CVE-2020-26287: Stored XSS in mermaid diagrams
  An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.

We have renamed to HedgeDoc! 🎉
Many thanks to Éric Gaspar who designed our new logo!
Have a look at our new website (which also explains the reasoning behind the renaming) at https://hedgedoc.org

This is probably the last release in the 1.x series. Stay tuned for 2.0, scheduled for release next year.

Please note: This release dropped support for Node 8, which is end-of-life since January 2020. You now need at least Node 10.13 to run HedgeDoc, but we recommend running the latest LTS release.

Please note: If you use a reverse proxy and TLS, make sure it sets the X-Forwarded-Proto header correctly, otherwise you will encounter login-issues. Our docs have example configs for common reverse proxies.

Enhancements

• Our release tarballs now contain the frontend bundle. This saves users from building the frontend themselves, which was an issue on memory-constrained systems.
• Add OIDC scopes for email & profile retrieval (#278 & #419 by @elespike & @vberger)
• Allow to set a SAML client certificate (#350 by @n0emis & @em0lar)
• Add YunoHost docs (#431 by @ericgaspar)
• Set OAuth2 state parameter (#407 & #541 by @dalcde & @haslersn)
• Various documentation improvements (by @oupala, @autra & @AdamWorley)
• Add migration script for minio (#499 by @pierreozoux)
• Add authorization for OAuth (#595 by @joachimmathes)
• Improvements to our cookie handling
• Compatibility with Node 14
• Translation updates
• Various dependency updates

Bugfixes

• Fix compatibility with upper-case MIME-types (#509 by @pierreozoux)
• Add fix for missing deletion of notes on user-deletion request
• Fix relative path for fetching the style when set
• Fix broken redirect on login
• CSS fixes for slide mode
• Do not create new notes with null as content
• Fix crash when OAuth2 config parameters are missing (thanks to @vberger for reporting!)
• Handle broken SequelizeMeta table on MySQL/MariaDB (thanks to @titulebolide for reporting!)

Contributors

• Adam Worley
• andreas koidis (translator)
• Augustin Trancart
• Benjamin Bett (translator)
• Butterflyoffire (translator)
• civic john (translator)
• Daniel Lublin
• David Mehren
• david-sawatzke
• deluxghost (translator)
• Dexter Chua
• Dimitri (translator)
• em0lar
• Éric Gaspar
• Erik Michelson
• Giacomo lanza (translator)
• Girish Ramakrishnan
• Grzegorz (translator)
• haslersn
• Igor Kerstges (translator)
• Info (translator)
• Jleeothon (translator)
• Johannes Nilsso (translator)
• Jolly Jumper (translator)
• Jonas Zohren
• Jothish (translator)
• Julien lebranch (translator)
• Marvin Gaube
• Mdhm (translator)
• Mostafa Ahangarha (translator)
• Nick Hahn
• Nils van Zuijlen
• Nithin Prabhakaran (translator)
• numéro6 (translator)
• n0emis
• oupala
• Philip Molares
• Pierre Ozoux
• Quentin Pages (translator)
• Renan Rodrigues
• Renne (translator)
• Sandro
• Smaran (translator)
• Sooraj Kenoth (translator)
• themedleb (translator)
• Tilman Vatteroth
• Tomasz (translator)
• Victor Berger
• XoseM (translator)
• Yannick Bungers
• zgroska (translator)