v2.15.0

What's New

• Added a new Insecure Randomness Gift Card challenge, demonstrating vulnerabilities tied to predictable random number generation. @kOaDT
• Published a new path traversal writeup and linked its walkthrough for improved learner navigation. @kOaDT #61

Bug Fixes

• Pinned TypeScript to 5.9.3 to align with the @astrojs/check peer dependency requirement and prevent version mismatch issues. @kOaDT

v2.14.2

Release Notes

Bug Fixes

• Fixed the NEXT_PUBLIC_ environment variable leak challenge, which only worked in development mode. The payment secret is now forwarded via an X-Payment-Auth header so it survives SWC dead code elimination in production builds (npm start), restoring the intended challenge behavior. @kOaDT
• Made the padding oracle test deterministic by flipping the entire block, eliminating flaky runs. @kOaDT

Improvements

• Added server-side pagination to the SIEM log viewer for smoother navigation of large log volumes. @kOaDT
• Migrated application logging from console to Pino structured logging. @MDFarhan-1 #84
• Enhanced the welcome PR message with contribution stats, size labels, and CI information. @kOaDT
• Refactored authentication by replacing scattered manual checks with unified withAuth and withAdminAuth wrappers. @kOaDT #81

Documentation

• Added a writeup for the NEXT_PUBLIC_ environment variable leak challenge. @kOaDT #59
• Updated the plaintext-password-in-logs writeup to reflect the Pino logging migration. @kOaDT
• Linked walkthroughSlug for the public-env and info-disclosure flags to streamline access to related walkthroughs. @kOaDT

Maintenance / Chore

• Bumped several GitHub Actions dependencies via Dependabot, including major updates to actions/github-script (7 → 9), actions/upload-artifact (4 → 7), actions/upload-pages-artifact (4 → 5), and docker/build-push-action (6 → 7), along with minor/patch updates to docker/login-action and cypress-io/github-action.

v2.14.1

What's New

• Added a walkthrough for the "Information Disclosure via API Error Message" vulnerability #62

Bug Fixes

• Fixed incorrect category assignment for the race condition coupon flag (now uses INSECURE_DESIGN)
• Removed unused flag type definition

Improvements

• Export fields now use an array with checkboxes instead of a comma-separated string, improving "Information Disclosure via API Error Message" vulnerability

Maintenance / Chore

• Bumped actions/deploy-pages from 4.0.5 to 5.0.0

v2.14.0

What's New

• Add a new flag for a race condition vulnerability. The vulnerability maps to OWASP A01 (Broken Access Control) and A04 (Insecure Design), and demonstrates how non-atomic read-then-write operations on shared state can be exploited via concurrent requests.

Bug Fixes

• Removed a stale screen.png asset that was incorrectly left in the codebase.

v2.13.0

What's New

• Middleware authorization bypass challenge (CVE-2025-29927): added a new vulnerability challenge based on the Next.js middleware authorization bypass.
• Support banner after flag capture: a contextual banner is now displayed after a user successfully captures a flag.
• Educator kit: addition of a kit explaining to teachers, mentors, and educators how to use the lab in an educational setting by providing a number of documents (OWASP grids, syllabus templates, a student report template to the documentation, ...).

Bug Fixes

• Mistral model pinned to mistral-small-2603: resolved potential model availability issues by pinning the version and adding an availability test.
• Removed obsolete Astro experimental flag: cleaned up deprecated configuration that could cause warnings or build issues.

Maintenance / Chore

• Upgraded to Astro 6: documentation site upgraded from Astro 5 to Astro 6, including @astrojs/react 5.0.0, and promotion of experimental config options to stable.
• Node.js bumped to 22 across CI pipelines for Astro 6 compatibility.
• Dependency updates:
  • chalk and ora upgraded in create-oss-store.
  • cypress-io/github-action updated to 7.1.8.
  • @astrojs/rss, @astrojs/check, and slugify patched to latest minor versions.

v2.12.0

What's New

• MCP Malicious Server challenge: New vulnerability demonstrating indirect prompt injection through poisoned MCP tool responses. An attacker hosts a malicious Model Context Protocol server whose tool responses inject instructions into the AI agent's context, tricking it into calling restricted internal tools and bypassing access control.
  Includes a full exploitation walkthrough with a ready-to-use evil MCP server and SSRF bonus vector. #137

Bug Fixes

• Fixed hydration mismatches in authentication-dependent header components, resolving client/server rendering inconsistencies.

Maintenance / Chore

• Added business logic test coverage across unit, API, and E2E layers.

v2.11.0

What's New

• AES-CBC padding oracle vulnerability: Added a new secure document sharing scenario demonstrating the AES-CBC padding oracle attack. #86

Security

• Hardened CI workflows: Tightened GitHub Actions permissions, pinned action versions to commit SHAs, and mitigated script injection risks.
• Scoped Dependabot to non-vulnerable packages: Excluded the intentionally vulnerable root application from automated dependency updates, limiting Dependabot to /docs and /packages only.

Improvements

• CI pipeline enhancements: Added quality checks, Docker build workflow, npm Dependabot configuration, and automated PR welcome messages for new contributors.

Maintenance / Chore

Updated GitHub Actions dependencies to latest major versions:

• actions/checkout 4.3.1 → 6.0.2
• actions/setup-node 4.4.0 → 6.3.0
• actions/upload-pages-artifact 3.0.1 → 4.0.0
• cypress-io/github-action 6.10.9 → 7.1.5
• docker/login-action 3.7.0 → 4.0.0

v2.10.0

What's New

• Profile takeover lab scenarios: Added two new flags based on a self-XSS and CSRF chain, introducing profile takeover vulnerability exercises. #18 (comment)
• Docker Hub auto-publish workflow: Docker images are now automatically published to Docker Hub on release.

Improvements

• Docker setup option in docs and walkthroughs: Lab walkthrough sections and the README now include Docker as a setup alternative, with direct links to Docker Hub.
• Fixed missing walkthrough slug: Added the missing walkthroughSlug for the weak session flag.

v2.9.0

What's New

• Added a new vulnerability flag: open redirect on the login form, allowing users to practice identifying and exploiting open redirect flaws in authentication flows. #85 (comment)

Improvements

• Added a walkthrough for the weak session management vulnerability. #63 (comment)
• Improved walkthrough texts, README, and CONTRIBUTING documentation.

Maintenance / Chore

• Upgraded Astro to the latest version.

v2.8.0

What's New

• Docker support: The application can now be run entirely via Docker and docker-compose, removing the need for a local Node.js installation. Includes a production-ready Dockerfile, automatic database initialization, persistent volumes, and helper scripts (npm run docker:*). #80
• Insecure password reset flag: Implement a password reset flow with a predictable/weak token generation mechanism. #86

Bug Fixes

• Prisma Studio no longer auto-opens a browser during the setup process.
• Improved plaintext password test reliability: Made the assertion more specific to avoid flaky test results.

Maintenance / Chore

• Added a pull request template to standardize contributions.