BookStack Security Release v25.12.1

Dan Brown posted on the 30th of December 2025

BookStack v25.12.1 has been released.

This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted. These changes help prevent potential abuse to host disk space usage and/or service availability.

We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.

Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.

Full List of Changes

Updated application PHP dependencies.
Add some additional resource-based limits. (#5968)
Updated translations with latest Crowdin changes. (#5962)

For More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Acabashi (CC-BY-SA 4.0) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts