## Hub Server Exposed: Critical DoS Vulnerability via Unbounded Goroutine Creation
A critical security flaw in the hub server leaves it vulnerable to denial-of-service attacks. The system lacks any rate limiting on incoming connections, allowing a malicious or even misconfigured client to rapidly connect and disconnect. This pattern can exhaust server goroutines, crippling the service. The vulnerability is explicitly marked with a `TODO(security)` tag in the codebase, signaling a known but unresolved risk.

The issue is located in `internal/hub/stream_manager.go` at line 225. The current architecture permits unbounded goroutine creation for each new stream registration, creating a direct path for resource exhaustion. The expected fix is to implement a token bucket rate limiter, which would cap the rate of new stream registrations per source—defined by namespace and pod. When the limit is exceeded, the server should return a `codes.ResourceExhausted` error. Crucially, this limiter must be configurable by operators via a ConfigMap setting, such as `hub.connection-rate-limit`.

The impact is assessed as high, representing a clear operational security threat. The absence of this control turns a simple connection flood into an effective DoS vector. The audit finding directly cites the unbounded goroutine creation as the core problem, with the `golang.org/x/time/rate` package referenced as the standard implementation path for the required token bucket mechanism. This leaves the system's stability contingent on immediate patching.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, DoS, rate-limiting, golang
- **Credibility**: unverified
- **Published**: 2026-04-08 12:27:14
- **ID**: 54986
- **URL**: https://whisperx.ai/en/intel/54986