Security Log

A sum-up of Tetrix’s latest security findings and updates.

February 21, 2022

Vulnerability affecting Tetrix

We deployed a security update to Tetrix. This prevents an unsecured Google API endpoint from being available which can lead to information disclosure between workspaces.

If you are running a self-hosted installation of Tetrix, this is unlikely to affect you - we recommend updating to version 2022.01 nevertheless.


We have been notified about this issue on February 20th which has been reviewed, validated and remediated the same day. Furthermore we conducted a root-cause analysis to identify and remediate the underlying issues of this exploit.

Lessons we learned

  • We are now running active checks that will terminate the session when a workspace is connecting to the metadata API #8334
  • The issue will be subject to penetration testing procedures
  • We are adding automated tests which ensure the aforementioned checks remain in effect

Kudos to Alan and the Team

We would like to thank Alan Cao for notifying us about this issue including a comprehensive write-up that allowed an easy revalidation. Also, the Tetrix teams understood and remediated the issue swiftly - the timely response is key.