What's Changed

Upstream Versions 🦊

• Firefox v142.0.1
• Compatible with patches for Playwright 1.58.2 (#356)
• Corresponds to Firefox Commit ID: e0df3d5 and version 142.0.1

Features 🚀

• Propagate taint when cloning strings during GC tenuring by @tmbrbr
• Remove native_ property from TaintOperation (#360) by @leeN
• Fix taint export extension loading and improve performance by 95-98% (#358) by @tmbrbr

Bugfixes 🐛

• Fix taint propagation in toLowerCase and normalize (#362) by @eleumasc

Improvements 🔧

• Add GitHub issue and PR templates for upstream version updates by @tmbrbr
• Fix test result parser and exit with error on failed tests

Full Changelog: v140.0.2...v149.0

What's Changed

News 📰

• 🎉 Thanks for everyone who attended our Arsenal demo session at Black Hat Europe last year!
• We also announced integration with ZAP with a dedicated Foxhound AddOn. More to come in 2026!

Upstream Versions 🦊

• Great big rebase (#289): GitHub history is now rebased to align with the Firefox repo
• Firefox v140.0.2, specifically: 3613731
• Compatible with patches for Playwright 1.56 (#353): https://github.com/microsoft/playwright/tree/release-1.56
• Requires Rust version 1.86.0 to build

Features 🚀

• 🧩 Added a built-in extension to send JSON serialized taint information to an external server (#340, #347, #335) by @tmbrbr
• Adding URL related taint operations (#350) by @tmbrbr
• Propagate taint through StringIterator (#349, #348) by @eleumasc
• ⏱️Only create TaintOperations for tainted strings (#336) by @leeN
• 👇 Binary builds are back!

Bugfixes 🐛

• Fix incorrect taint range assignment on JSON.stringify (#346, #345, #351) by @eleumasc
• Github Actions fixes (#355) by @tmbrbr
• Various regression test fixes (#334) by @tmbrbr

Full Changelog: https://github.com/SAP/project-foxhound/commits/v140.0.2

What's Changed

News 📰

• 🎉 Excited to announce that Foxhound will appear at Black Hat Europe this year!
• Come to our Arsenal demo session in London on 10th-11th December to find out more!

Upstream Versions 🦊

• Firefox v130.0, specifically: bc78b98
• Compatible with patches for Playwright 1.49: https://github.com/microsoft/playwright/tree/release-1.49
• Requires Rust version 1.79.0 to build

Features 🚀

• Adding end-2-end tainting (#307) whereby Foxhound will taint marked content for incoming HTTP responses.
• Adding more sources and sinks related to the fetch API (#302)
• Multiple test improvements (#297, #298, #325)
• Adding build badges to the README (#317)

Bugfixes 🐛

• Taint propagation for StringBuffer conversion (#291)
• Fixing Debug mode (#314), at least partially
• Multiple fixes (#296, #304, #310, #327)

Due to various issues with the GitHub actions and runners, binaries for this release aren't available directly. Don't worry though, you can still find the latest Linux builds on the TU-BS server.

Full Changelog: v128.0...v130.0

What's Changed

Simply the Best!

• 🏆 Foxhound has been rated the best tool for Dynamic Security Analysis of JavaScript by independent researchers! In their study, Foxhound outperformed 17 other tools in all of the categories considered, namely compatibility (95%), transparency (97%), coverage (94%) and performance (1.4x).
• We also broke the 100 GitHub stars ⭐ barrier! Spread the love ❤️!

Upstream Versions 🦊

• Firefox v128.0, specifically: cf0397e
• Playwright 1.48: https://github.com/microsoft/playwright/tree/release-1.48
• Requires Rust version 1.78.0 to build

Features 🚀

• 📦 Upload of build artifacts via GitHub Actions (#263): release binaries now available below! 👇
  • Currently supporting Windows and Ubuntu Linux builds
  • MacOS builds using the macos-13 (Intel x86) and macos-latest (M1 ARM) are experimental. Feedback welcome!
• Adding support for the script.textContent sink (#282)
• GC Hazard Analysis and fixes (#280, #278)

Bugfixes 🐛

• Some branding fixes (#283)
• Fix taint loss in Node.normalize() (#273)
• Fail the build script if zip not installed (#270)

Full Changelog: v126.0...v128.0

What's Changed

Upstream Versions 🦊

• Firefox v126.0, specifically: 4c9a3f8
• Playwright 1.47: https://github.com/microsoft/playwright/tree/release-1.47
• Requires Rust version 1.76 to build

Features 🚀

• Support for custom sources and sinks #250, thanks @leeN!

Bugfixes 🐛

• Some fixes for taint propagation through custom sources (#257, #258)
• Fixing logo related issues (#256)

Full Changelog: v125.0...v126.0

What's Changed

Upstream Versions 🦊

• Firefox v125.0, specifically: bd7e0ac
• Playwright 1.46: https://github.com/microsoft/playwright/tree/release-1.46
• Requires Rust version 1.76 to build

Features 🚀

• Foxhound has a new logo (#245) which has been added to the documentation and the browser itself. Thanks to the SAP OSPO for the great support here!
• Added bash script for one click builds including playwright merging (#225, #229, #231), thanks @leeN!
• Added GitHub Action to check Playwright patch applicability (#232)
• Pre-built binaries provided by TU Braunschweig (#234)!
• Adding option to dump tainting findings to file (#242, #247)

Bugfixes 🐛

• Fixing String conversion bugfix (#249, fixing #238 and #240), thanks @alexbara2000!
• Update to artifact upload v4 (#227)
• Updating GitHub action versions (#248)

Full Changelog: v123.0...v125.0

What's Changed

Upstream Versions

• Firefox v123.0, specifically: f8704c8
• Playwright 1.44: https://github.com/microsoft/playwright/tree/release-1.44
• Skipping playwright patches for 1.43 as there was no browser patch change since 1.42
• Requires Rust version 1.70 to build

Full Changelog: v121.0...v123.0

What's Changed

Upstream Versions

• Firefox v121.0, specifically: a32b866
• Playwright 1.42: https://github.com/microsoft/playwright/tree/release-1.42

Fixes

• #208 Fixed memory leak and crashes due to GC during memory allocation

Full Changelog: v119.0...v121.0

What's Changed

Version Updates

• Update to Firefox version 119.0
• Playwright 1.41 by @tmbrbr in #192

Feature Updates

• Fixes as suggested by clang-tidy. by @leeN in #193
• Performance Tweaks by @leeN in #195
• Added Thread Safety Analysis Exceptions by @leeN in #197
• DOM Related Sources and Sinks by @tmbrbr in #198
• Foxhound: Adding JSON path string to JSON parse operations by @tmbrbr in #200
• Tab Crashing Fixes by @tmbrbr in #203

Full Changelog: v118.0.1...v119.0

Version Updates

• Updating to Firefox v118.0.1
• Compatible with Playwright 1.40

Feature Updates

• Adding more information to XHR response sources #191
• Fixing issue with nsURLHelper which was losing taint information #188
• Dynamic setting / disabling of sources and sinks via preferences #184

Full Changelog: v115...v118.0.1