Etherpad 1.8.6 released

1.8.6 includes an important security update so we recommend updating ASAP.

With 1.8.6 Etherpad now provides a method to copy pads that uses roughly 10% of the computational resources to copy a pad without any previous history. See: copyPadWithoutHistory

A postgres bug existed in 1.8.5 so if you are a postgres user we recommend updating to 1.8.6.

Various other changes are available in the small changelog. As always our focus is on ease of implementation, scale, stability and consistency throughout the editor. Sorry if you hope to get new bells and whistles with this release, things should be stable with 1.8.6 which means we can shift our focus to 1.9 which is scheduled to be our final release during 2020 and will have some major new changes we are pretty excited to announce.

Thanks for supporting Etherpad and being involved with the project <3

Etherpad is on Github sponsors

You probably know what Github sponsors is, if not, it’s a way you can support projects like Etherpad by donating a monthly amount. I don’t think waxing lyrical about the benefits of supporting Etherpad is useful but I think it’s worth mentioning we’re under Software Freedom Conservancy (501c3) and all funds raised go back into the project and we try to donate to dependency projects whenever we can.

Etherpad’s Github Sponsors page.

Pad your way! Create your own theme with the new theme variant generator

In 1.8.3 Etherpad introduced a new feature called the “Theme variant generator”. To access it append #skinvariantsbuilder to your Pad URL IE

Once you have it styled how you like then copy the Result to settings.json and restart Etherpad. After restart this style will be applied to pads and you don’t need to include the #skinvariantsbuilder.

Say hello to Etherpad 1.8.3

This release is huge, probably our biggest in 5 years. If you used to use Etherpad back in the day but it’s fallen off your radar then this might be the release that brings you back. If not, that’s cool, thanks for the love anyway :)

This release includes 5 Critical Security Vulnerability resolutions which in itself is enough of a reason to update.

1.8.3 also includes our new modern interface by default. We’re really chuffed with it!

The usual bug-fixes and optimizations are in but this release can basically be summarized as “Modern at the front, secure(r) at the back”. Unlike yo momma…

Anyway, enough waffle.


Video chat with Etherpad

Etherpad is a humble project and we’re really appreciative that you either use it or contribute. Thanks!

It’s time for us to give back. This time we’re supporting the global efforts to stop the Corona Pandemic by giving people a real-time editing and video conferencing tool that’s completely free to use with no sign in.

Video Chat by Etherpad

❤️ to 26LLC for covering our hosting costs & ❤️ to the WebRTC guys for making WebRTC work.

❤️ to everyone, we hope Corona passes and normal service is resumed. Stay awesome!

Updating Etherpad for Modern JavaScript

This is a guest post from our contributor Ray Bellis, from Internet Systems Consortium, Inc.
Ray took care of migrating Etherpad code to async/await. His work landed on #3540, and will be part of next Etherpad release (1.8).



Etherpad is a popular collaborative real-time editing application. It is written to run within the NodeJS server-side JavaScript engine.

A lot of its code is quite old and written using coding paradigms that have since been replaced with much better alternatives. This resulted in a significant “technical debt” and a code base that is difficult to maintain and enhance.

At ISC we use Etherpad extensively. We wanted to add some functionality but found the code base very difficult to work with, and in particular the program’s flow of execution was difficult to analyse. I determined that the code could probably benefit from rewriting parts of it to take advantage of new language features.

With ISC’s support, I therefore recently spent a few weeks working on a significant refactoring of the Etherpad code, with that work described here.

Continue reading

Important critical Etherpad release – 1.6.4

TLDR; Site admins should Update ASAP to 1.6.4 due to several security enhancements.

Today we released Etherpad 1.6.4.

This release fixes several security vulnerabilities in recent versions:

  • One is an arbitrary code execution vulnerability in version 1.6.3.
  • Another is an arbitrary code execution vulnerability which is present in all versions from 1.5.0 on, but only exploitable on sites that store pads in DirtyDB, CouchDB, MongoDB, or RethinkDB.
  • A third allows attackers to export any pad without knowing its name (as normally required) in all versions from 1.5.0 on.


The Etherpad Leadership Team recommends that administrators upgrade to 1.6.4 as soon as possible to mitigate these issues.

“Etherpad is key to a number of organization that promote collaboration, freedom and transparency and as such we are proud to provide infrastructure for these values,”

said John McLear, Etherpad’s chief maintainer.

“In a world that is becoming more fragmented, we’re very keen to promote global collaboration and are dedicated to improving the security of Etherpad.”

About Etherpad

Etherpad is a highly customizable free software editor for collaborative editing online. Used to support collaboration across many important initiatives across the Internet, Etherpad is critical web infrastructure. Etherpad is widely used by individuals and groups who want to collaborate effectively using decentralized trusted free software.

Etherpad is a member project of Software Freedom Conservancy

The Etherpad foundation would like to thank Synacktiv for responsibly disclosing these vulnerabilities.

What’s new in Etherpad since Google’s acquisition?

TLDR; Etherpad has changed a lot over the last few years, you should check out some of the great new stuff.

There has been a lot of progress in Etherpad but you might not know about it all because the instance you are using might be old and out of date. We wanted to make it easy for you so here is what’s new in Etherpad since we went open source nearly 5 years ago!

Plugin Framework and management

Client side plugins extend the editor functionality with excellent user experiences such as video conferencing, rich text editing, images, tables, comments, markdown, LaTeX and so much more. On the Server side hundreds of plugins extend Etherpad including support for email notifications, pad management, authentication.. The list really does go on so you should open it in a new tab and check it out when you have a few minutes spare!
Etherpad provides an admin page which provides functionality to edit settings, check your instance settings and manage plugins. Best of all the admin page is super quick and easy to use, similar to how WordPress does plugin management.


From High Resolution screen support to screen reader support to Internationalization (Translations) to Keyboard shortcuts we’re really keen to improve accessibility on the front end. On the back end various well documented clients and libraries for both the API and editor all supported by excellent Etherpad core documentation. We have also focused on document portability ensuring your ENTIRE pad including every single edit(and it’s history) can be exported and taken from one Etherpad instance to another, something no competitor offers.

Huge performance increases

The “old” version of Etherpad was stable up to about 20 people on a pad, after that things got a bit shaky. We’re now testing up to about 250 users on a single pad, way beyond what competitors can offer.

Stability improvements

We now provide both automated front-end and automated back-end testing for Etherpad. This has helped uptime instances be way within the 99.9% threshold required by most operators. While we’re constantly improving on this we’re really proud of the latest figures (99.993% up-time) across our enterprise supported instances and we hope to keep pushing for even better stability moving forward.

Recently we began providing our security releases as CVEs, this has helped the security community do deeper audits of Etherpad to move forward to a more secure piece of software

Commercial services

You know what commercial services are, if your company is using Etherpad then you probably have an internal guy that’s your Etherpad guy. Without that guy we wouldn’t exist as a project so here is an opportunity for us to say thanks! If you are that guy and you feel like you would like some support with your Etherpad instance do get in touch and we’d be happy to connect you to someone that can help. If you are a developer or admin and enjoy working with Etherpad then also get in touch, we can connect those dots too!

Shut up and take me to Etherpad!

Release 1.5.5

IMPORTANT: Security release, please update your instances!

This is another security release, the exploit is documented as CVE-2015-3297 — If a specifically formatted URL is used to access Etherpad a file can be read from the filesystem. This issue has existed in Etherpad since 2012 so pretty much all deployments will be effected.

We have been doing a lot of security releases lately as we complete our third security audit. Our apologies for creating such a fire under admins to update so frequently lately.

SECURITY: Traversing URL exploit
NEW: Default Pad options can now be defined in settings.json, see the Etherpad Template file for reference.
NEW: sessionKey is now automatically generated and stored in the file system.
NEW: Logic for handling pad creation with illegal characters
FIX: IE10 now works
FIX: html10n missing semicolons, prevents warnings
FIX: Importing of Large .Etherpad files no longer crashes the server
UPDATES: Update all stuck dependencies (Inc underscore)
UPDATES: Update to Express 4
UPDATES: We no longer support IE8