Security vulnerabilities and automated fixes for reconnaissance issues
1 post found
A critical security vulnerability was discovered in `api/extensions/ext_app_metrics.py` where internal operational endpoints exposing thread states and database connection pool statistics were accessible without any authentication. This silent reconnaissance gateway allowed attackers to map application internals, identify database infrastructure, and plan targeted denial-of-service attacks. The fix closes these unauthenticated endpoints, eliminating a significant information disclosure risk.