Skip to content

chore(deps): update dependency ctfd/ctfd to v3.8.2#56

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/ctfd-ctfd-3.x
Open

chore(deps): update dependency ctfd/ctfd to v3.8.2#56
renovate[bot] wants to merge 1 commit intomainfrom
renovate/ctfd-ctfd-3.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 7, 2025

This PR contains the following updates:

Package Update Change
ctfd/ctfd minor 3.7.73.8.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

ctfd/ctfd (ctfd/ctfd)

v3.8.2

Compare Source

Security

  • Fixes a vulnerability where a malicious admin user could import a crafted zip file to write files arbitrarily depending on the deployment

General

  • When a user is submission ratelimited, those submissions will now be the ratelimit submission type instead of incorrect
  • Fix issues with ratelimiting on max attempt challenges
  • Switch max attempt timeout messaging to seconds instead of minutes
  • Fix issue where users would get an error when solving an already solved challenge

Plugins

  • Add Ratelimiteds submission class
  • Add BaseChallenge.ratelimited() method which creates Ratelimiteds submissions
  • Add force_all parameter to CTFd.plugins.migrations.upgrade() to allow plugins to decide if they want to force run all migrations
  • Add app.overridden_functions global which allows plugin developers to override functions that support the behavior
  • Raise ChallengeSolveException in BaseChallenge.solve() when encountering a duplicate solve situation

Themes

  • Mark required fields in registration, login, and custom fields with a red asterisk

Deployment

  • The provided Docker Compose file will no longer use the root user and instead use the provided ctfd user
  • Add PUT method to IP address tracking

Translations

  • Add Norwegian, Turkish, Croatian translation

v3.8.1

Compare Source

Security

  • Make challenge attempt ratelimit stricter
  • Make reset password ratelimit stricter and apply per-account

General

  • Integrates dynamic scoring into the standard challenge type
    • All challenges will now have initial, decay, minimum, function columns available through the standard challenge type
    • Scoring logic for challenges can be configured with the function field
    • The dynamic value challenge plugin will remain supported until CTFd 4.0
  • Add solved solution visibility to challenge solutions
    • This only allows a user to view a challenge's solution if they've solved the associated challenge

Admin Panel

  • Add bulk editing for solution visibility in the Admin Panel Challenges page

API

  • Change GET /api/v1/solutions/[solution_id] to return 404 if a solution is hidden instead of a 403
  • Add /api/v1/challenges/[challenge_id]/solution endpoint to check if a challenge solution is accessible

Themes

  • CTFd.js has been bumped to 0.0.19
  • challenges.js now has additional functions getSolutionState and setSolutionId to allow the UI to determine if a solution is accessible

Deployment

  • Fixes issues where preset admins would not be created
  • Add RUN_ID config which specifies a token which will be used as a cache-buster URL parameter
  • Add EXTRA_CONFIGS_FORCE_TYPES config to allow server admins to force types for configs specified in the [extra] section
  • If UPDATE_CHECK is disabled the update prompt banner should be properly disabled
  • Fix issue where users would be put into an infinite loop if confirm emails is enabled without having an email server configured

Translations

  • Add Uzbek and Hebrew languages

v3.8.0

Compare Source

General

  • Admins can now configure whether users can see their past submissions
  • Admins can now store challenge solutions within CTFd to be viewed by users
  • Participants can now leave upvotes/downvotes on challenges as well as their review of a challenge
    • Ratings/Votes can be configured to be viewed by participants or only admins
    • Reviews are only visible by admins
  • Challenges now have the logic field which allows for challenge developers to control the flag collection behavior of a challenge:
    • any: any flag is accepted for the challenge
    • all: all flags for the challenge must be submitted
    • team: all team members must submit any flag
  • Max Attempts can now behave as a timeout instead of a lockout
    • For example a user who submits 3 attempts will then be prevented from submitting another attempt for 5 minutes instead of being unable to submit entirely
  • Social Shares for challenge completion are now enabled by default and admins may now control the social share template page
  • Additional attempts after solving on challenges will now show if the submissions is correct/incorrect
  • If email sending is available, email confirmation is enabled by default and users are nudged to complete email verification.
  • Hints can now have a title that is shown before unlocking
  • Hints now always require unlocking even if they require no cost
    • Prevents accidental viewing and improves tracking of hint usage
  • CTFd will now store a tracking event under challenges.open in the Tracking table when a challenge is opened for the first time by a user
  • Challenges now report whether a flag is correct or incorrect even if the challenge has already been solved
  • Fixes issue where admins could not download challenge files before CTF start when downloading anonymously

Admin Panel

  • Added a matrix scoreboard to the Statistics page to show player progression through the CTF
  • Added support for brackets in the Admin Panel scoreboard
  • Added config option for minimum password length
  • Added config option to control whether players can view their previous submissions
  • Admins can now require users to change their password upon login
  • Added config option to control Max Attempts behavior
  • In the Admin Panel challenge preview, admins now only see free hints
  • Fixed issue where the hint form was not resetting properly when creating multiple hints

API

  • Added /api/v1/users/me/submissions for users to retrieve their own submissions
  • Added /api/v1/challenges/[challenge_id]/solutions for users to retrieve challenge solutions
  • Added /api/v1/challenges/[challenge_id]/ratings for users to submit ratings and for admins to retrieve them
  • Added ratings and rating fields to the response of /api/v1/challenges/[challenge_id]
  • Added solution_id to the response of /api/v1/challenges/[challenge_id]
    • If no solution is available, the field is null
  • Added logic field to the response of /api/v1/challenges/[challenge_id]
  • Added change_password field to /api/v1/users/[user_id] when viewed as an admin
  • Added /api/v1/solutions and /api/v1/solutions/[solution_id] endpoints
  • /api/v1/unlocks is now also used to unlock solutions for user viewing

Deployment

  • Added PRESET_ADMIN_NAME, PRESET_ADMIN_EMAIL, PRESET_ADMIN_PASSWORD, and PRESET_ADMIN_TOKEN to config.ini for pre-creating an admin user
    • Useful for automated deployments and ensuring a known admin token exists
  • Added PRESET_CONFIGS to config.ini for pre-setting server-side configs
    • Useful for configuring CTFd without completing setup or using the API
  • Added EMAIL_CONFIRMATION_REQUIRE_INTERACTION to config.ini to require additional interaction for email confirmation links
    • Improves compatibility with certain anti-phishing defenses
  • Email confirmation is now enabled whenever email sending is available
  • Replaced pybluemonday with nh3 (due to breakage in Python modules written in Golang)
  • Updated Flask to 2.1.3
  • Updated Werkzeug to 2.2.3

Plugins

  • Challenge Type Plugins should now return a ChallengeResponse object instead of a (status, message) tuple
    • Existing behavior is supported until CTFd 4.0
  • Added BaseChallenge.partial for challenge classes to indicate partial solves (for all flag logic)

Themes

  • The core-beta theme has been promoted to core
    • The core-beta repo has been replaced with the core-theme repo. Future changes should be made in the main CTFd repo and these changes will be copied over to the core-theme repo.
  • The previous core theme has been deprecated and renamed core-deprecated

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/ctfd-ctfd-3.x branch from 3419915 to 3842825 Compare November 7, 2025 03:07
@renovate renovate bot changed the title chore(deps): update dependency ctfd/ctfd to v3.8.0 chore(deps): update dependency ctfd/ctfd to v3.8.1 Nov 7, 2025
@renovate renovate bot force-pushed the renovate/ctfd-ctfd-3.x branch 2 times, most recently from 5b43607 to 192c58f Compare February 5, 2026 21:50
@renovate renovate bot changed the title chore(deps): update dependency ctfd/ctfd to v3.8.1 chore(deps): update dependency ctfd/ctfd to v3.8.2 Feb 5, 2026
@renovate renovate bot force-pushed the renovate/ctfd-ctfd-3.x branch from 192c58f to 3205fc5 Compare February 12, 2026 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants

Comments