Skip to content

v0.19.3 β€” Security Patch: Z205 Evasion Fix

Latest

Choose a tag to compare

@github-actions github-actions released this 03 Jul 07:44
334164c

[0.19.3] β€” 2026-07-02

πŸ”’ Security Advisory

This patch release addresses a security vulnerability in the Polyglot Extractor introduced in v0.19.0. All users utilizing Zenzic as a CI security gate are strongly advised to update immediately.

Fixed

  • Security (Z205 Bypass): Resolved a parser differential vulnerability where attackers could evade the Z205 (Forbidden Scheme) security gate. The extractor now correctly adheres to the HTML5 "first-wins" attribute parsing rule, preventing "Double Href" injection attacks.
  • Security (Encoding Evasion): The engine now correctly unescapes HTML entities and strips obfuscating control characters before evaluating URI schemes, preventing bypasses using encoded javascript: or data: payloads.

Technical Details

  • Performance: The security hardening maintains the strict $O(N)$ (RE2/DFA-pure) execution time invariant.
  • DQS Invariant: Repository Documentation Quality Score remains verified at 100/100.