By Emily Stark

Today we’re releasing Meteor 1.0.1 with a patch for a security vulnerability that could cause data loss in Meteor apps that use allow/deny rules. We are also releasing patches for all major Meteor releases prior to 1.0. If you use allow/deny rules in your app, or if your app uses packages that use allow/deny rules, we recommend that you update immediately. This bug affects all Meteor versions since 0.5.0.

Update your app from 1.0 to 1.0.1 by running meteor update --release 1.0.1 . If you are running from an older Meteor release, we have also published these patch releases: 0.6.5.3, 0.7.2.3, 0.8.3.1, and 0.9.4.1. To update your app to one of those releases, run meteor update --release <release number> .

For users who are unable to update to one of the patch releases, we’ve provided a small code snippet that you can use as a workaround to protect your app. The code snippet should be placed in top-level code in your app’s server/ directory, and can be found here.

Thanks to David Workman for reporting this issue to us. We will release more details about the vulnerability after users have had a chance to update. We strongly recommend taking the update ASAP, given the possibility of data loss.

As a reminder, if you think you have come across a security issue in Meteor, please report it to security@meteor.com or our HackerOne program.