claudeenmodel: claude-haiku-4-5
v4.12.18 - Security Fixes Release
Key Points
- Cache Middleware cross-user cache leakage fix
- CSS injection vulnerability patched in JSX SSR
- JWT NumericDate claims validation corrected
Summary
v4.12.18 is a security-focused release addressing three critical vulnerabilities across Cache Middleware, JSX SSR, and JWT utilities.
Key Points
- Cache Middleware: Fixed cache-skip handling for
Vary: AuthorizationandVary: Cookieheaders to prevent cross-user cache leakage (GHSA-p77w-8qqv-26rm) - JSX SSR: Patched CSS declaration injection vulnerability in style object values and property names to prevent untrusted input from injecting additional CSS declarations (GHSA-qp7p-654g-cw7p)
- JWT Verification: Corrected improper validation of
exp,nbf, andiatclaims to reject falsy, non-finite, or non-numeric values per RFC 7519 (GHSA-hm8q-7f3q-5f36)
Recommendation
Users leveraging JWT helpers, JSX rendering, or Cache middleware should upgrade immediately.