We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version of KV Manager.
We take the security of KV Manager seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via:
-
GitHub Security Advisories (Preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
-
Direct Contact
- Create a private issue with the
securitylabel - We will respond within 48 hours
- Create a private issue with the
Please include as much information as possible:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Your suggestions for fixing it (if any)
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Fix Timeline: Depends on severity and complexity
- Validation: We'll confirm the vulnerability
- Fix Development: We'll work on a patch
- Testing: Thorough testing of the fix
- Disclosure:
- We'll coordinate disclosure with you
- Security advisory published
- Release with fix deployed
- Credit: We'll credit you in the security advisory (if desired)
When deploying KV Manager:
- Always use Cloudflare Access (Zero Trust) in production
- Configure appropriate identity providers (GitHub OAuth, etc.)
- Set restrictive access policies
- Never disable authentication checks
- Protect API tokens: Never commit tokens to version control
- Use Cloudflare Workers Secrets for sensitive data
- Set proper CORS policies
- Implement rate limiting if needed
- Grant minimal KV permissions needed
- Use separate API tokens for different environments
- Rotate API tokens regularly
- Audit KV access logs
- Protect D1 metadata database from accidental deletion
- Review metadata database schema regularly
- Backup metadata database periodically
- Monitor for unusual query patterns
- Use
.envfiles for local development only - Never expose Worker secrets
- Keep dependencies up to date
- Review Cloudflare Access logs regularly
# Set all secrets (never hardcode)
npx wrangler secret put ACCOUNT_ID
npx wrangler secret put API_KEY
npx wrangler secret put TEAM_DOMAIN
npx wrangler secret put POLICY_AUD- Use HTTPS only (enforced by Cloudflare Workers)
- Configure appropriate CSP headers
- Enable Cloudflare's security features
- Monitor for suspicious activity
Application Dependencies (Fixed):
- ✅
glob- Upgraded to 11.1.0 via package.json overrides (fixes CVE-2025-64756) - ✅
tar- Upgraded to 7.5.2 via package.json overrides (fixes CVE-2025-64118)
npm CLI Dependencies (Fixed):
- ✅
glob- Manually patched to 11.1.0 in npm's installation directory (fixes CVE-2025-64756) - ✅
tar- Manually patched to 7.5.2 in npm's installation directory (fixes CVE-2025-64118)
While npm@11.6.2 ships with vulnerable versions, we patch these during the Docker build process by updating npm's own node_modules directory. This ensures the npm CLI tool uses secure dependencies.
Alpine Base Package Vulnerabilities (Accepted Risk):
curl@8.14.1-r2- CVE-2025-10966 (MEDIUM): No fix available from Alpine Linuxbusybox@1.37.0-r19- CVE-2025-46394, CVE-2024-58251 (LOW): No fixes available from Alpine Linux
We monitor these vulnerabilities and will update as soon as patches become available.
- Mock data mode bypasses authentication for
localhost - Never deploy with
VITE_WORKER_API=http://localhost:8787 - Ensure environment is properly configured for production
- Worker requires Account D1 Edit and Workers KV Storage Edit permissions
- Avoid using Global API Key (use scoped API tokens)
- Review token access logs in Cloudflare dashboard
- Be cautious with sensitive data in KV namespaces
- Use Cloudflare Access policies to restrict users
- Consider additional encryption for sensitive values
- Review audit logs for potential data leaks
- Durable Objects handle bulk operations securely
- Monitor for abuse of bulk delete operations
- Set reasonable rate limits for bulk operations
- Track bulk operation history in D1 metadata
KV Manager implements several security features:
- Cloudflare Access Integration: Enterprise-grade authentication
- JWT Validation: Every API request validated
- Scoped Permissions: Minimal required access
- Audit Logging: Operation history tracking
- Secure Defaults: Production-ready configuration
- Input Validation: Injection attack prevention
- Rate Limiting: Via Cloudflare Workers platform
- Protected Namespaces: System namespaces hidden from UI
This project follows:
- OWASP Top 10 security guidelines
- Cloudflare security best practices
- Zero Trust security model
- Principle of least privilege
Security updates are released as soon as possible after validation. Subscribe to:
- GitHub Security Advisories
- GitHub Releases (security releases are tagged)
- GitHub Watch notifications
If you have questions about security that aren't covered here:
- Open a Discussion (for general security questions)
- Check Cloudflare's security documentation
- Review the CONTRIBUTING.md file
We appreciate the security research community and will acknowledge researchers who responsibly disclose vulnerabilities (with permission).
Security is a shared responsibility. Thank you for helping keep KV Manager secure!