RuView: Critical Security Fixes and ESP32 Firmware Release
Three merged pull requests addressed critical security vulnerabilities and system stability issues, including a fail-closed OTA authentication fix and ESP32 firmware stack overflow resolution. The team released ESP32-S3 firmware version 0.6.5 with comprehensive hardware validation.
Duration: PT2M1S
Transcript
Good morning. This is RuView for May 19th, 2026.
ruvnet merged three critical pull requests yesterday addressing security and stability issues across the platform.
The most significant change was pull request 623, which fixed a critical OTA upload vulnerability. Previously, ESP32 nodes with no provisioned PSK accepted firmware uploads from any host over plain HTTP - essentially allowing attackers to brick or backdoor devices with a single network call. The fix changes the authentication to fail-closed, rejecting all requests until a PSK is properly provisioned.
Pull request 621 resolved a WebSocket broadcast issue where the sensing server displayed incorrect connection status. After ESP32 nodes lost power or network connectivity, the UI continued showing "LIVE - ESP32 HARDWARE Connected" with frozen data. The fix now correctly switches to "esp32:offline" status within five seconds.
Pull request 628 wrapped up ESP32-S3 firmware version 0.6.5, addressing a Timer Service stack overflow that caused boot loops on fresh builds. The issue stemmed from a missing configuration in the canonical build file that set the FreeRTOS timer task stack depth to 8KB instead of the insufficient 2KB default.
All fixes underwent end-to-end hardware validation on COM7 with ESP32-S3 8MB modules. The security fix includes comprehensive audit markers to prevent future regressions.
What's next: The OTA security change is a breaking change for any deployments relying on unauthenticated firmware updates. Teams should provision PSK keys before upgrading to avoid rejected upload requests.
That's your RuView briefing. Back tomorrow with more developer updates.