Skip to content

[Security] Credit balance check fails open — allows free usage on DB errors #15

Open
Open
[Security] Credit balance check fails open — allows free usage on DB errors#15
Labels
high-priorityHigh prioritysecuritySecurity vulnerability
@willamhou

Description

@willamhou
willamhou
opened on Mar 29, 2026

Severity: HIGH

Description

checkBalance() in api-guard.ts:245-269 returns true (allow) when the database query fails, meaning all billable requests go through for free if the DB is unavailable.

Location

  • src/lib/api-guard.ts:245-269

Remediation

In production, fail-closed: return false or respond with 503 when balance cannot be checked.

Metadata

Metadata

Assignees

No one assigned

    Labels

    high-priorityHigh prioritysecuritySecurity vulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions