LoginSign Up
← Back to all sparks
C

Countly

ANALYTICS
Velocity5.0

Open-source product analytics for mobile and web.

countly.com

Countly runs a sustained security-hardening pass across its 24.05 and 25.03 lines

product-analyticssecurity-hardeningenterprisedual-release-linebug-fixesopen-source
Current state
Countly's recent releases are dominated by security and stability work: a bug-bounty-style hardening pass closing cross-app metric exfiltration, MongoDB operator injection, path traversal, SSRF, and session-fixation vectors (24.05.50, 25.03.44), alongside routine core and enterprise bug fixes. Enterprise additions are narrow, such as AD/LDAP journey approver groups.
Where it's heading
The concentration of coordinated security fixes across both the 24.05 line and the current 25.03 line signals a deliberate hardening cycle, likely following an audit. Feature work is incremental; correctness and security are the current priority.
Prediction
Expect continued security and stability fixes backported across both lines, with incremental enterprise additions in journeys and data-manager.

Recent moves

  1. 2d ago

    v25.03.46: security fixes, AD/LDAP journey approver group

    Bundles general security fixes, subdirectory-deployment support, and AD/LDAP journey approver groups, continuing the security-plus-narrow-enterprise pattern of the 25.03 line.

    View source ↗
  2. 12d ago

    v25.03.45: core, jobs and groups correctness fixes

    Fixes graph-note validation, disabled-plugin job filtering, topEvents key handling, and a legacy group_id aggregation error that 400'd management pages on older tenants.

    View source ↗
  3. 20d ago

    v25.03.44: close exfiltration and injection vectors

    A security release validating alert configs against caller permissions, stripping dangerous Mongo operators from user queries, and sanitizing filenames against path traversal, the 25.03 half of the coordinated hardening pass.

    View source ↗
  4. 20d ago

    v24.05.50: bug-bounty security backport

    Backports the bug-bounty hardening to the 24.05 line: login-token scoping with session-id regeneration, dashboard auth and per-widget permissions, anti-enumeration responses, $graphLookup blocking, and SSRF guards.

    View source ↗
  5. 1mo ago

    Countly Version 25.03.43

    v25.03.43 optimizes an enterprise flow timeline query and bumps a few dependencies, a minor maintenance release amid the larger security cycle.

    View source ↗
  6. 1mo ago

    Countly Version 24.05.49

    v24.05.49 collects small fixes for alert-job timezones, compliance-hub user merge, onboarding redirects, and star-rating, low-impact maintenance on the 24.05 line.

    View source ↗