Bolt 3.2.20 and Bolt 3.3.6 are now available. These releases contain a security fix and as such we strongly encourage all Bolt 3.2 and Bolt 3.3 users to update their sites.

Bolt uses the Symfony Profiler to display debug information on development websites. We have discovered a flaw in the binding of the routes for the Profiler in Bolt 3.2 and above.

Debugging should never be enabled on production websites. However, if you haven't turned off debugging in production, this flaw could be exploited to retrieve debug information. This release adds additional safeguards to prevent websites that have, or had, debug enabled from leaking this information.

We apologize for the oversight, and the inconvenience.

Note: If you can not update your sites immediately, we urge you to check that your site is configured correctly:

  • Make sure debug is disabled on public facing (“production”) websites, by settingdebug: false in your config.yml
  • If you had to change the setting, be sure to flush the Bolt cache to remove any lingering profile data

If you do the above, or if your site’s debug option was already disabled, this issue will not affect you.

Upgrade for Bolt 3.3.x

To install this version from scratch, follow the instructions on the updated installation page in the documentation, as can be found here: Installing Bolt.

To upgrade an existing site, run composer update, or see Updating. Be sure to get the correct versions, though: bolt-latest.tar.gz or

If you need the version with all files inside the web root, grab bolt-latest-flat-structure.tar.gz or

To do a 15-second update, use the following:

curl -O
tar -xzf bolt-latest.tar.gz --strip-components=1
php app/nut init

Upgrade for Bolt 3.2.x

Note: Bolt 3.2 is officially End of Life (EoL). However, as this is a secuirty related release, and some of our users are still in the running 3.2, we felt it was prudent to release an out-of-band release for the 3.2 branch.

To update an existing Bolt 3.2.x site, without updating to Bolt 3.3, you can either use Composer or download the latest 3.2.x distribution.

To update using Composer, modify your composer.json before running composer update, so it's restricted to Bolt 3.2:

    "require": {
        "php": "^5.5.9 || ^7.0",
        "bolt/bolt": "3.2.*",
        "passwordlib/passwordlib": "^1.0@beta"

Note the omission of the caret ^ in 3.2.*. Run composer update and the site will be updated.

If you prefer the distribution files, grab the right one here:

To do a 15-second update, use the following:

curl -O
tar -xzf bolt-v3.2.20.tar.gz --strip-components=1
php app/nut init

If you have any questions or remarks, post a comment below, or join us on Slack or IRC.

comments powered by Disqus