Skip to content

[Critical] No API rate limiting on any HTTP endpoints #75

Description

@ether-btc

Severity: Critical

Location: (entire file — all handleApi routes)

Description:
None of the HTTP API endpoints implement any rate limiting. An attacker or misbehaving client can:

  • Hammer to burn through LLM tokens
  • Spam to create spurious agents
  • Flood to corrupt memory
  • Overwhelm the heartbeat by rapidly hitting any endpoint

This is especially dangerous because the server binds to all network interfaces (0.0.0.0), not just localhost.

Suggested Fix:
Add a simple in-memory rate limiter middleware. For example, using a Map of IP → request counts with a sliding window:

Apply it per-IP before routing. Make stricter (e.g., 10 req/min) since it triggers LLM calls.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions