Skip to content
Klyo Changelog

Hardening pass on firewall, egress, PII, and TOTP

v1.10.12 security medium impact
  • firewall
  • auth
  • compliance
  • audit

Six safety-critical components received targeted hardening as part of the traceability gate that ships with every release.

The firewall regex evaluator now enforces a 100 ms wall-clock deadline per pattern using a third-party engine; a timeout fails closed and denies the request. The egress allowlist validator rejects non-canonical CIDR input and caps any single entry at 256 hosts to prevent accidental over-broad allows. The PII redaction config validator rejects wildcard placeholder names that previously could collide with detected entity tokens. The PII pipeline also normalises base64, URL-percent, and hex-encoded inputs before detection, closing an evasion path.

TOTP second-factor login now records consumed codes in a replay ledger with a composite primary key and a scheduled cleanup, eliminating a narrow code-reuse window.

SaaS tenants are already patched. Self-hosted customers should upgrade to v1.10.12.