H5P design issue: Library upload overwrites platform-wide content

Submitted by pheraph on Wed, 03/18/2026 - 14:32
pheraph's picture
Forums: 
General discussion

Hi all,

I noticed something that appears to be a fundamental design issue with how H5P handles updates to library versions through the upload of user generated H5P files. I see this behaviour in edu-sharing and Wordpress. When uploading an H5P file that contains a newer library (patch) version, H5P adopts that version globally. From that point on, the renderer uses this library version for all H5P content on the platform, including existing content created by other users.

This effectively means that any user with upload permissions can overwrite libraries platform-wide by uploading a manipulated H5P file, altering the rendering of all other users' content. I tested this with a rather harmless modification, that renders different colors for MC questions and adds a custom text. But I see this could also be used to expose the repository to vandalism or maybe add malicious code?

I guess this is intentional behavior. How do others handle this in multi-user environments?

Thanks,

Raphael

Attachments: 
Image icon h5p.png
Summary: 
Should library uploads overwrite platform-wide content?
otacke's picture

otacke

Wed, 03/18/2026 - 18:38

That's a flaw, correct. See this post from 2022 suggesting a solution. Yes, that was over four years ago without any statement from H5P Group.

Would be great if you deleted your attachment by the way, because there will be that one person that actually uploads it to their site and thus installs that patched version ...

pheraph's picture

pheraph

Wed, 03/18/2026 - 21:10

Thanks, Oliver. I tried to find an existing thread, but failed. I removed the attachment though I think it's trivial to do with vibe coding.

I came across this issue because we’ll likely need to patch a content type (at the very least) for a project, and the result will be a whole series of OERs that we won’t be able to publish in the OER repository straight away. 

otacke's picture

otacke

Wed, 03/18/2026 - 22:34

I didn't ask to remove it fearing that it could be replicated. That is trivial. I just want to prevent someone from trying out what that content does. Those things happen.

Depending on your goal you might want to check whether you can reach it with the JavaScript/semantics hooks on your platform safely - or if changing the library name is an option - or follow the pull request path.

Just patching and hoping that content won't leak is not a good option. The forum contains cases where someone did that (without knowing what they were doing) and caused trouble. Just one example: https://www.olivertacke.de/labs/2024/05/02/a-short-voluntary-h5p-fire-de...