At this time, we believe the situation should be resolved for all apps
Posted Oct 30, 2024 - 20:17 EDT
Monitoring
We've made the below fix available to Dedicated boxes and apps on the Scheduled release tier. If you are on Dedicated, please use your Dedicated manager to update your cluster to the latest version to take advantage of the fix. Alternatively, you can uninstall plugins that depend on LottieFiles.
If you are plugin maintainer, please check if your plugin uses LottieFiles and if so, please update to a safe version (2.0.4). We are coordinating directly with a handful of our most-installed plugins. Canvas and LottieFiles plugins have been updated.
Posted Oct 30, 2024 - 18:20 EDT
Update
We just deployed a fix to automatically detect references to the compromised version (unpkg.com/@lottiefiles/lottie-player@latest) in Bubble-hosted html and replace it with a safe version (unpkg.com/@lottiefiles/lottie-player@2.0.4). We believe this will fix many/most 3rd party plugins that depend on Lottie Files, but we are continuing to investigate
Posted Oct 30, 2024 - 17:38 EDT
Identified
A 3rd party library used by Bubble as well as by many Bubble-built apps has been hacked to display crypto advertising. Information about this incident can be found here: https://github.com/LottieFiles/lottie-player/issues/255
We are currently working on removing the compromised version of the dependency, as well as providing instructions to our users to fix this if it impacts their own apps