From 621331b03e16a65a4e9c470fa3d1a93136e45b99 Mon Sep 17 00:00:00 2001
From: C85297 <95289555+C85297@users.noreply.github.com>
Date: Wed, 28 Jan 2026 16:10:51 +0000
Subject: [PATCH 1/3] Update CHANGELOG for v10.20.0

---
 CHANGELOG.md | 165 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 164 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3a8feb7..535a11a3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,75 @@ All major and minor version changes will be documented in this file. Details of
 
 ## Details
 
+### [10.20.0] - 2026-01-28
+- Fixed Optical Character Recognition and added tests [@n1474335] | [ab37c1e]
+- Fixed JA4 version fallback value [@n1474335] | [7a5225c]
+- Updated chromedriver [@n1474335] | [0e82e4b]
+- Fixed RSA Sign and Verify character encodings [@n1474335] | [895a929]
+- Updated chromedriver [@n1474335] | [d3adfc7]
+- Added message format arg to RSA Verify operation [@n1474335] | [47c85a1]
+- Add operation for parsing X.509 CRLs [@robinsandhu] | [#1887]
+- Fix typo in description of JWT Sign recipe [@GuilhermoReadonly] | [#1961]
+- Corrected path to generateNodeIndex.mjs [@simonarnell] | [#1959]
+- Add 'header' ingredient to JWT Sign operation [@RandomByte] | [#1957]
+- Add Parse TLS record operation [@c65722] | [#1936]
+- Automatically detect chrome driver version [@gchq] | [#1972]
+- Add Strip UDP header operation [@c65722] | [#1900]
+- Add Strip TCP header operation [@c65722] | [#1898]
+- Webpack compress with gzip and brotli [@max0x53] | [#1955]
+- add offset field to 'Add Line Numbers' operation [@Adamkadaban] | [#1866]
+- Disable flakey URL test [@a3957273] | [#1973]
+- Add Strip IPv4 header operation [@c65722] | [#1899]
+- IPv6 Transition Operation [@jb30795] | [#1780]
+- fix: Blowfish - ignore IV length in ECB mode [@FranciscoPombal] | [#1902]
+- Add 'Drop nth bytes' operation [@Oshawk] | [#1914]
+- Add 'Take nth bytes' operation  [@Oshawk] | [#1915]
+- Add Leet Speak [@bartblaze] | [#1971]
+- Fix Generate TOTP & HOPT [@exactlyaron] | [#1966]
+- Updated luhn checksum operation to work with different bases [@k3ach] | [#1933]
+- automatically theme mode based on user preference [@vs4vijay] | [#1921]
+- fix: DES/Triple DES - misleading error messages [@FranciscoPombal] | [#1904]
+- fix: ROT13 - shifting numbers by negative amounts [@FranciscoPombal] | [#1903]
+- Introduce Yubico's Modhex for Conversion [@linuxgemini] | [#1105]
+- Feature: MIME RFC2047 Decoding [@MShwed] | [#630]
+- CC-1889 add _ option [@depperm] | [#1977]
+- chore(root): add cspell [@evenstensberg] | [#1976]
+- Preserve uppercase for Leet Speak [@bartblaze] | [#1981]
+- Load the user's preferred color scheme if the URL contains an invalid theme [@0xh3xa] | [#2007]
+- Add SM2 Encrypt and Decrypt Operations [@flakjacket95] | [#1909]
+- Support jq as an operation. [@zhzy0077] | [#1604]
+- Add fingerprints to the 'Parse X.509 certificate' operation [@JSCU-CNI] | [#1863]
+- Added a JSON to YAML and a YAML to JSON operation [@ccarpo] | [#1286]
+- Add CRC Operation [@r4mos] | [#1993]
+- Bug Fix: selected theme not loading when refreshing [@0xh3xa] | [#2006]
+- Fix(RecipeWaiter): sanitize user input in addOperation to prevent XSS [@0xh3xa] | [#2014]
+- Docker multiplatform build support [@PathToLife] | [#1974]
+- Add Base32 Hex Extended Alphabet and Base32 Tests. [@peterc-s] | [#1991]
+- Add ECB/NoPadding and CBC/NoPadding support to AES encryption [@plvie] | [#2013]
+- Add new operation: PHP Serialize [@brun0ne] | [#1548]
+- Push input through postmessage [@kenduguay1] | [#1992]
+- Add jsonata query operation [@jonking-ajar] | [#1587]
+- Re-enable Npm Release in github workflows [@PathToLife] | [#2031]
+- Add to ECDSA Verify the message format [@r4mos] | [#2027]
+- Added alternating caps functionality [@sw5678] | [#1897]
+- XOR Checksum operation added [@jg42526] | [#2035]
+- Add GenerateAllChecksums operation * Remove checksums from GenerateAllHashes operation [@es45411] | [66d445c]
+- Update GenerateAllChecksums infoURL [@es45411] | [#2037]
+- Add toggle "+" character to URLDecode operation [@es45411] | [#2040]
+- Workaround for Safari load bug [@GCHQDeveloper94872] | [#2038]
+- Updated Dockerfile to correctly build on ARM64 platforms [@Sma-Das] | [#2042]
+- Addresses bug report #2008 Added explicit support for octal IP addresses. Changed approach to IPv4 regex to be string manipulation generated. Added some unit tests for IP address parsing - probably not full coverage. Added lookahead and lookbehind tricks to resolve warned issue that 1.2.3.256 would still be extracted as 1.2.3.25. Now only accepts valid IP addresses. Warning replaced with clause about infinite length dotted decimal forms. [@gchqdev364] | [#2041]
+- Remove trim from rail fence [@Odyhibit] | [#1986]
+- Fix email regex [@ericli-splunk] | [#2025]
+- Add Blake3 hashing [@xumptex] | [#2023]
+- Use defaultIndex instead of 0 in transformArgs [@bartvanandel] | [#2015]
+- Add "Generate UUID" and "Analyse UUID" operations [@bartvanandel] | [#2011]
+- Add new operation: Template [@kendallgoto] | [#2021]
+- Add more clear build instructions [@remingtr] | [#1873]
+- Show On Map updated to use leaflet over WikiMedia [@0xff1ce] | [#1884]
+- Fixed ToDecimal signed logic [@starplanet] | [#1545]
+- Use BigInt for encoding/decoding VarInt [@mikecat] | [#1978]
+
 ### [10.19.0] - 2024-06-21
 - Add support for ECDSA and DSA in 'Parse CSR' [@robinsandhu] | [#1828]
 - Fix typos in SIGABA.mjs [@eltociear] | [#1834]
@@ -440,6 +509,7 @@ All major and minor version changes will be documented in this file. Details of
 ## [4.0.0] - 2016-11-28
 -  Initial open source commit [@n1474335] | [b1d73a72](https://github.com/gchq/CyberChef/commit/b1d73a725dc7ab9fb7eb789296efd2b7e4b08306)
 
+[10.20.0]: https://github.com/gchq/CyberChef/releases/tag/v10.20.0
 [10.19.0]: https://github.com/gchq/CyberChef/releases/tag/v10.19.0
 [10.18.0]: https://github.com/gchq/CyberChef/releases/tag/v10.18.0
 [10.17.0]: https://github.com/gchq/CyberChef/releases/tag/v10.17.0
@@ -630,6 +700,60 @@ All major and minor version changes will be documented in this file. Details of
 [@cplussharp]: https://github.com/cplussharp
 [@robinsandhu]: https://github.com/robinsandhu
 [@eltociear]: https://github.com/eltociear
+[@GuilhermoReadonly]: https://github.com/GuilhermoReadonly
+[@simonarnell]: https://github.com/simonarnell
+[@RandomByte]: https://github.com/RandomByte
+[@c65722]: https://github.com/c65722
+[@c65722]: https://github.com/c65722
+[@c65722]: https://github.com/c65722
+[@max0x53]: https://github.com/max0x53
+[@Adamkadaban]: https://github.com/Adamkadaban
+[@c65722]: https://github.com/c65722
+[@jb30795]: https://github.com/jb30795
+[@FranciscoPombal]: https://github.com/FranciscoPombal
+[@Oshawk]: https://github.com/Oshawk
+[@Oshawk]: https://github.com/Oshawk
+[@bartblaze]: https://github.com/bartblaze
+[@exactlyaron]: https://github.com/exactlyaron
+[@k3ach]: https://github.com/k3ach
+[@vs4vijay]: https://github.com/vs4vijay
+[@FranciscoPombal]: https://github.com/FranciscoPombal
+[@FranciscoPombal]: https://github.com/FranciscoPombal
+[@linuxgemini]: https://github.com/linuxgemini
+[@depperm]: https://github.com/depperm
+[@evenstensberg]: https://github.com/evenstensberg
+[@bartblaze]: https://github.com/bartblaze
+[@0xh3xa]: https://github.com/0xh3xa
+[@flakjacket95]: https://github.com/flakjacket95
+[@zhzy0077]: https://github.com/zhzy0077
+[@JSCU-CNI]: https://github.com/JSCU-CNI
+[@ccarpo]: https://github.com/ccarpo
+[@r4mos]: https://github.com/r4mos
+[@0xh3xa]: https://github.com/0xh3xa
+[@0xh3xa]: https://github.com/0xh3xa
+[@PathToLife]: https://github.com/PathToLife
+[@peterc-s]: https://github.com/peterc-s
+[@plvie]: https://github.com/plvie
+[@kenduguay1]: https://github.com/kenduguay1
+[@jonking-ajar]: https://github.com/jonking-ajar
+[@PathToLife]: https://github.com/PathToLife
+[@r4mos]: https://github.com/r4mos
+[@jg42526]: https://github.com/jg42526
+[@es45411]: https://github.com/es45411
+[@gchq]: https://github.com/gchq
+[@gchqdev364]: https://github.com/gchqdev364
+[@GCHQDeveloper94872]: https://github.com/GCHQDeveloper94872
+[@Sma-Das]: https://github.com/Sma-Das
+[@gchq]: https://github.com/gchq
+[@Odyhibit]: https://github.com/Odyhibit
+[@ericli-splunk]: https://github.com/ericli-splunk
+[@xumptex]: https://github.com/xumptex
+[@bartvanandel]: https://github.com/bartvanandel
+[@bartvanandel]: https://github.com/bartvanandel
+[@kendallgoto]: https://github.com/kendallgoto
+[@remingtr]: https://github.com/remingtr
+[@0xff1ce]: https://github.com/0xff1ce
+[@starplanet]: https://github.com/starplanet
 
 
 [8ad18b]: https://github.com/gchq/CyberChef/commit/8ad18bc7db6d9ff184ba3518686293a7685bf7b7
@@ -642,6 +766,46 @@ All major and minor version changes will be documented in this file. Details of
 [760eff4]: https://github.com/gchq/CyberChef/commit/760eff49b5307aaa3104c5e5b437ffe62299acd1
 [65ffd8d]: https://github.com/gchq/CyberChef/commit/65ffd8d65d88eb369f6f61a5d1d0f807179bffb7
 [0a353ee]: https://github.com/gchq/CyberChef/commit/0a353eeb378b9ca5d49e23c7dfc175ae07107b08
+[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1
+[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25
+[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332
+[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac
+[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6
+[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914
+[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88
+[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155
+[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548
+[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5
+[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8
+[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33
+[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6
+[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1
+[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25
+[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332
+[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac
+[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6
+[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914
+[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88
+[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155
+[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548
+[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5
+[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8
+[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33
+[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6
+[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1
+[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25
+[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332
+[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac
+[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6
+[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914
+[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88
+[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155
+[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548
+[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5
+[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8
+[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33
+[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6
+[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1
 
 [#95]: https://github.com/gchq/CyberChef/pull/299
 [#173]: https://github.com/gchq/CyberChef/pull/173
@@ -778,4 +942,3 @@ All major and minor version changes will be documented in this file. Details of
 [#512]: https://github.com/gchq/CyberChef/issues/512
 [#1732]: https://github.com/gchq/CyberChef/issues/1732
 [#1789]: https://github.com/gchq/CyberChef/issues/1789
-

From 2092e5b20cad5f794152562c845cca445e985373 Mon Sep 17 00:00:00 2001
From: C85297 <95289555+C85297@users.noreply.github.com>
Date: Wed, 28 Jan 2026 16:11:57 +0000
Subject: [PATCH 2/3] 10.20.0

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index b374df4b..fbd86bbb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "cyberchef",
-  "version": "10.19.4",
+  "version": "10.20.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "cyberchef",
-      "version": "10.19.4",
+      "version": "10.20.0",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/package.json b/package.json
index 9191ab6f..1c2ef3ae 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cyberchef",
-  "version": "10.19.4",
+  "version": "10.20.0",
   "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
   "author": "n1474335 <n1474335@gmail.com>",
   "homepage": "https://gchq.github.io/CyberChef",

From b885e8423d75e566d279d171228f7bb5b3e3a479 Mon Sep 17 00:00:00 2001
From: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com>
Date: Thu, 29 Jan 2026 13:40:34 +0000
Subject: [PATCH 3/3] Bump jsonpath-plus (#2166)

Closes #1928 #1926
---
 package-lock.json               | 16 ++++++++--------
 package.json                    |  2 +-
 tests/operations/tests/Code.mjs | 15 ++++++++++++++-
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fbd86bbb..af76ee06 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -57,7 +57,7 @@
         "jsesc": "^3.0.2",
         "json5": "^2.2.3",
         "jsonata": "^2.0.3",
-        "jsonpath-plus": "^9.0.0",
+        "jsonpath-plus": "^10.3.0",
         "jsonwebtoken": "8.5.1",
         "jsqr": "^1.4.0",
         "jsrsasign": "^11.1.0",
@@ -12503,21 +12503,21 @@
       }
     },
     "node_modules/jsonpath-plus": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz",
-      "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==",
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.3.0.tgz",
+      "integrity": "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA==",
       "license": "MIT",
       "dependencies": {
-        "@jsep-plugin/assignment": "^1.2.1",
-        "@jsep-plugin/regex": "^1.0.3",
-        "jsep": "^1.3.8"
+        "@jsep-plugin/assignment": "^1.3.0",
+        "@jsep-plugin/regex": "^1.0.4",
+        "jsep": "^1.4.0"
       },
       "bin": {
         "jsonpath": "bin/jsonpath-cli.js",
         "jsonpath-plus": "bin/jsonpath-cli.js"
       },
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18.0.0"
       }
     },
     "node_modules/jsonwebtoken": {
diff --git a/package.json b/package.json
index 1c2ef3ae..ec3f0520 100644
--- a/package.json
+++ b/package.json
@@ -143,7 +143,7 @@
     "jsesc": "^3.0.2",
     "json5": "^2.2.3",
     "jsonata": "^2.0.3",
-    "jsonpath-plus": "^9.0.0",
+    "jsonpath-plus": "^10.3.0",
     "jsonwebtoken": "8.5.1",
     "jsqr": "^1.4.0",
     "jsrsasign": "^11.1.0",
diff --git a/tests/operations/tests/Code.mjs b/tests/operations/tests/Code.mjs
index c62c7630..0a25c0e8 100644
--- a/tests/operations/tests/Code.mjs
+++ b/tests/operations/tests/Code.mjs
@@ -322,8 +322,21 @@ TestRegister.addTests([
                 ]
             }
         ],
-        expectedMatch: /^Invalid JPath expression: jsonPath: self is not defined:/
+        expectedMatch: /^Invalid JPath expression: Unexpected "{" at character 1/
     },
+    {
+        name: "JPath Expression: Script-based RCE",
+        input: "[{}]",
+        recipeConfig: [
+            {
+                "op": "JPath expression",
+                "args": [
+                    "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('id').toString())\";a=''[['constructor']][['constructor']](p);a())]",
+                    "\n"
+                ]
+            }
+        ],
+        expectedMatch: /^Invalid JPath expression: jsonPath: Cannot read properties of {2}\(reading 'constructor'\): /    },
     {
         name: "CSS selector",
         input: '<div id="test">\n<p class="a">hello</p>\n<p>world</p>\n<p class="a">again</p>\n</div>',