Today we released the first-ever security release for ActionHero. Details can be found below:
Previously, the default error responder when a client asked for a static-file which was missing (404) returned the name the of that file
When requesting an action via JSONp, it was possible (though unlikely) that the
callback in the following way:
This fix has been back-ported to:
A huge thank you to @submitteddenied is earned for reporting these issues and working to fix them.