CVE-2024-51758

Name of the Vulnerable Software and Affected Versions Filament versions prior to 3.2.123

Description The issue is related to the default configuration of Filament, which uses the default filesystem disk config option for storage features. The default disk is set to public when first installed, allowing users to quickly develop with a functional disk. However, this default setting can be insecure as some features, such as exports, store files containing sensitive data that should not be public. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Filament versions prior to 3.2.123, upgrade to version 3.2.123 or later to resolve the issue. As a temporary workaround, consider setting the export disk deliberately to a secure option, such as local or s3, to minimize the risk of exploitation. If the public disk is set as the default disk, the exports feature will automatically swap it out for the local disk, if that exists. Users who set the default disk to local or s3 already are not affected.