RATATOSKRATATOSK
ログイン

Dapr

v1.17.5Orchestration & Management
2026年4月17日

v1.17.5 is a security-only patch fixing a path traversal vulnerability that allowed attackers to bypass service invocation ACL policies via encoded URL characters.

  • securityUpgrade immediately if you use service invocation ACLs

    Any deployment with access control policies for service invocation is vulnerable. An attacker with Dapr API access (HTTP or gRPC) could reach denied endpoints by encoding the path. gRPC is especially risky since method strings were passed raw. Upgrade to v1.17.5 now — there is no workaround short of removing Dapr API exposure entirely. After upgrading, audit your ACL policies to confirm expected paths are actually being enforced.

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix adds strict validation: method paths containing #, ?, null bytes, or control characters are now rejected at the invocation edge. If any of your services use these characters in method paths (uncommon but possible with gRPC), those calls will fail after upgrade. Test your service invocation paths in a staging environment before rolling this to production.

主な変更 (5)

  • Path traversal sequences (e.g., %2F, ../) in service invocation method paths could bypass ACL checks — now fixed
  • Encoded fragment (%23) and query (%3F) characters caused ACL to evaluate a different path than what the target app received
  • A bare % character could crash ACL normalization, potentially disabling the policy entirely
  • gRPC was the more dangerous vector since it passes method strings raw with no client-side sanitization
  • Fix: normalization now happens at the invocation edge using path.Clean; purell dependency removed from ACL path