From 80ba7633e55f14932e655bcedcbe3961344cd93e Mon Sep 17 00:00:00 2001 From: Alex Newman Date: Fri, 12 Dec 2025 22:18:32 -0500 Subject: [PATCH] docs: update CHANGELOG.md for localhost-only binding security fix --- CHANGELOG.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8ee3d7f..ec2070f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,54 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [7.1.0] - 2025-12-13 +## Security Fix: Localhost-Only Binding + +**BREAKING CHANGE**: Worker service now binds to `127.0.0.1` (localhost) by default instead of `0.0.0.0` (all interfaces). + +### Security Issue Fixed + +The worker service was previously binding to `0.0.0.0:37777` by default, exposing all API endpoints to the network without authentication. This posed security risks: +- Unauthorized access to memory data from any network device +- Potential data injection into the database +- Settings modification from remote devices +- Full access to Web Viewer UI from the network + +### Solution + +Default worker binding changed to `127.0.0.1` (localhost-only), with a new configurable setting `CLAUDE_MEM_WORKER_HOST` for users who need remote access. + +### Changes + +- **Core**: Added `CLAUDE_MEM_WORKER_HOST` setting with default value `127.0.0.1` +- **Worker**: Modified `worker-service.ts` to bind to configured host address +- **API**: Added host validation in `SettingsRoutes.ts` (IP address format check) +- **UI**: Added host configuration field in Settings panel +- **Docs**: Updated README.md and CLAUDE.md with new setting + +### Configuration + +**Default (secure):** localhost only +```bash +CLAUDE_MEM_WORKER_HOST=127.0.0.1 +``` + +**Remote access (server deployments):** +```bash +CLAUDE_MEM_WORKER_HOST=0.0.0.0 +``` + +Can be configured via: +- `~/.claude-mem/settings.json` +- Web Viewer UI Settings panel + +### Migration + +**Automatic**: Existing installations will use `127.0.0.1` on next worker restart. If you need remote access, set `CLAUDE_MEM_WORKER_HOST=0.0.0.0` in `~/.claude-mem/settings.json`. + +### Contributors + +Thanks to @7Sageer for identifying and fixing this security issue! + ## Major Architectural Migration This release completely replaces PM2 with native Bun-based process management and migrates from better-sqlite3 to bun:sqlite. @@ -1906,12 +1954,12 @@ None (patch version) ## [4.3.0] - 2025-10-25 -## What's Changed -* feat: Enhanced context hook with session observations and cross-platform improvements by @thedotmack in https://github.com/thedotmack/claude-mem/pull/25 - -## New Contributors -* @thedotmack made their first contribution in https://github.com/thedotmack/claude-mem/pull/25 - +## What's Changed +* feat: Enhanced context hook with session observations and cross-platform improvements by @thedotmack in https://github.com/thedotmack/claude-mem/pull/25 + +## New Contributors +* @thedotmack made their first contribution in https://github.com/thedotmack/claude-mem/pull/25 + **Full Changelog**: https://github.com/thedotmack/claude-mem/compare/v4.2.11...v4.3.0 ## [4.2.10] - 2025-10-25