## Security Audit Exposes Race Condition in Autobot-Backend's Global Model State
A systematic codebase audit has uncovered a critical security vulnerability in the `autobot-backend` project. The core issue is a race condition within the `model_management.py` router, where global mutable variables `_active_model` and `_active_version` are accessed and modified without any locking mechanism. This flaw creates a window for concurrent asynchronous requests to corrupt the system's state, leading to unpredictable behavior and potential crashes.

The vulnerability is concentrated in three key functions. The `activate_model()` function (lines 277-299) writes to these global variables without a lock, allowing two concurrent calls to corrupt the state. The `get_evaluation_metrics()` function (lines 319-346) reads `_active_model` and `_active_version` without synchronization, creating a Time-Of-Check-Time-Of-Use (TOCTOU) vulnerability where metrics could be fetched for a stale model version. Most critically, `predict_completion()` (lines 358-385) reads and uses `_active_model` without a lock, risking a scenario where the model passes a null check but is then set to `None` by a concurrent activation request, causing a runtime crash.

This design flaw exposes the system to several high-risk scenarios. Concurrent model activation requests can directly corrupt the global state. More insidiously, prediction requests could crash mid-execution if the active model is swapped out, and evaluation metrics could be reported for an incorrect model version during a swap. The proposed fix is to implement an `asyncio.Lock()` around all read and write operations for the two global variables to enforce thread-safe access. The vulnerability was identified during a systematic audit on March 30, 2026, highlighting a fundamental oversight in the backend's concurrency design.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, race_condition, concurrency, code_audit
- **Credibility**: unverified
- **Published**: 2026-03-30 06:27:04
- **ID**: 40596
- **URL**: https://whisperx.ai/en/intel/40596