| #398 |
MEDIUM: Global circuit breaker can be toggled via /tmp flag files
config.py:339,343 - Circuit breaker state controlled by /tmp/.highway_circuit_breaker_enabled and di...
|
closed |
medium |
2025-12-11 22:44 |
- |
|
| #395 |
MEDIUM: No upper bound validation on timeout duration strings
shell_command.py:153-186 - ISO 8601 duration parsing has no max validation. Malicious workflow could...
|
closed |
medium |
2025-12-11 22:21 |
- |
|
| #394 |
MEDIUM: Sandbox code injection via triple-quote escape bypass
sandbox.py:285 - User code escaped with simple replace for triple quotes. Edge cases like backslash-...
|
closed |
medium |
2025-12-11 22:21 |
- |
|
| #393 |
MEDIUM: Missing tenant isolation in checkpoint queries
absurd_client.py:728-764 - get_checkpoints_for_run() queries by owner_run_id without tenant_id filte...
|
closed |
medium |
2025-12-11 22:21 |
- |
|
| #392 |
MEDIUM: Sandbox bypass via cached sys.modules
sandbox/sandbox.py:99-132 - Replaces builtins.__import__ but doesn't clear sys.modules. Banned modul...
|
closed |
medium |
2025-12-11 22:21 |
- |
|
| #391 |
MEDIUM: SSRF bypass via DNS rebinding (TOCTOU)
http_request.py:107-124 - DNS resolved at validation time, but request may resolve to different IP (...
|
closed |
medium |
2025-12-11 22:21 |
- |
|
| #381 |
MEDIUM: Docker containers not killed on timeout (resource leak)
sandbox.py:341 - When container.wait() times out, container may still be running. Finally block may ...
|
closed |
medium |
2025-12-11 21:54 |
- |
|
| #380 |
MEDIUM: Unbounded circuit breaker cache (memory leak)
http_request.py:136-199 - Per-workflow circuit breakers in _circuit_breaker_cache never cleaned up. ...
|
closed |
medium |
2025-12-11 21:54 |
- |
|
| #379 |
MEDIUM: ToolRegistry singleton not thread-safe
registry.py:305-320 - get_tool_registry() singleton creation has race condition. Multiple threads co...
|
closed |
medium |
2025-12-11 21:54 |
- |
|
| #378 |
MEDIUM: SchedulerService breaks atomic transaction boundary
scheduler_service.py uses autocommit=True but needs atomic scan+submit+update operation. Uses differ...
|
closed |
medium |
2025-12-11 21:54 |
- |
|
| #370 |
MEDIUM: _save_state not called automatically before sleep/commit
## Issue
The _save_state() method in engine/durable_context.py:1462-1496 persists executed_tasks, f...
|
closed |
medium |
2025-12-11 21:40 |
- |
|
| #369 |
MEDIUM: Circuit breaker cache uses file system flag for reset
## Issue
Circuit breaker cache reset in engine/tools/shell_command.py:63-84 relies on flag file /tm...
|
closed |
medium |
2025-12-11 21:39 |
- |
|
| #368 |
MEDIUM: Silent encryption failure (fail-open security)
## Issue
In engine/db.py:131-147, encryption configuration failures are silently swallowed:
```pyt...
|
closed |
medium |
2025-12-11 21:39 |
- |
|
| #367 |
MEDIUM: Connection leak in get_raw_db_connection docstring example
## Issue
The docstring for get_raw_db_connection() in engine/db.py:515-547 shows improper usage:
`...
|
closed |
medium |
2025-12-11 21:39 |
- |
|
| #356 |
LLM tool: Use Secret Manager for API keys
## Issue
llm.py only reads API keys from environment variables, not from Secret Manager.
## Current...
|
closed |
medium |
2025-12-10 08:16 |
- |
|
| #352 |
Guidance: Built-in Tools vs Marketplace Apps
## Overview
Define clear guidelines for when functionality should be a built-in tool vs a marketplac...
|
closed |
medium |
2025-12-10 06:40 |
- |
|
| #350 |
Demo: Legal Contract Negotiation
## Overview
Document version management with deadlines between two parties.
## Workflow Steps
1. Ge...
|
closed |
medium |
2025-12-10 06:39 |
- |
|
| #349 |
Demo: Supply Chain Cold Chain Monitor
## Overview
Real-time logistics monitoring for temperature-sensitive shipments.
## Workflow Steps
1...
|
closed |
medium |
2025-12-10 06:39 |
- |
|
| #348 |
Demo: Multi-Stage Media Processing Pipeline
## Overview
Video processing with parallel execution, transcoding, and AI transcription.
## Workflo...
|
closed |
medium |
2025-12-10 06:39 |
- |
|
| #347 |
Demo: Patient Post-Procedure Monitoring
## Overview
Healthcare workflow for 30-day patient recovery tracking.
## Workflow Steps
1. Surgery ...
|
closed |
medium |
2025-12-10 06:39 |
- |
|