Mapbox Security Bulletins

Millions of people touch Mapbox every month. That's why we are committed to creating the most secure and privacy-minded mapping and location platform in the world.

Recent vulnerabilities discovered

Mapbox Android SDK - Switch to Local Broadcast Manager

March 21, 2017

Summary:

Mapbox Android SDK v4.0.0 through v4.2.0 use Broadcast Receiver for location services requests instead of the Local Broadcast Manager. The Local Broadcast Manager offers more granular control of broadcast permissions, as well as performance enhancements.

Affected:

Mapbox Android SDK v4.0.0 through v4.2.0
Learn more
  →

Mapbox.js - XSS via share control

January 12, 2016

Summary:

When the share control of a mapbox.js map is clicked, arbitrary script content will execute if a malicious user has injected script content into the name property of TileJSON data.

Affected:

Mapbox.js v2.2.3 and earlier
Mapbox.js v1.6.4 and earlier
Learn more
  →

Mapbox.js - XSS via attribution control

October 24, 2015

Summary:

When a Mapbox.js map is loaded, malicious scripts will execute if the script content is inserted into the attribution property of TileJSON data.

Affected:

Mapbox.js v2.1.6 and earlier
Mapbox.js v1.6.4 and earlier
Learn more
  →