Skip to content

fix(security): Race condition in GitHub token pool management causes rate limit bypass #7380

Description

@atul-upadhyay-7

🚨 Critical: Race Condition in GitHub Token Pool Management

Severity: CRITICAL

Description

A race condition exists in the GitHub token pool management system in lib/github.ts. The module-level mutable variable currentTokenIndex (line 98) is read and mutated from multiple concurrent async requests without any synchronization mechanism (mutex, lock, or atomic operations).

Impact

In a serverless/production environment handling concurrent HTTP requests:

  1. Token Skipping: Multiple requests can read the same currentTokenIndex value simultaneously, causing valid tokens to be skipped entirely
  2. Rate Limit Amplification: Concurrent requests hitting the same token simultaneously exhaust its rate limit quota faster than expected
  3. Inconsistent State: currentTokenIndex can exceed tokens.length in edge cases due to interleaved read-modify-write operations

Reproduction Scenario

Request A reads currentTokenIndex = 2
Request B reads currentTokenIndex = 2 (before A increments)
Request A uses token[2] and increments to 3
Request B also uses token[2] (duplicate!) and increments to 3
Token[3] is never used — skipped entirely

Affected Code

  • lib/github.ts:98currentTokenIndex declaration
  • lib/github.ts:279,308 — reassignment during 401/429 handling in fetchWithRetry
  • lib/github.ts:637-736 — token selection and index mutation

Suggested Fix

Implement atomic token index operations using one of:

  • A mutex/lock around token selection and index increment
  • Atomics.add() with a shared SharedArrayBuffer
  • Thread-safe token pool with compare-and-swap semantics
  • Per-request token assignment via a central coordinator

Severity Justification

This bug can cause cascading failures across all GitHub API integrations in the application, affecting:

  • Commit tracking
  • Repository analysis
  • Architecture endpoint
  • All features dependent on GitHub token authentication

Labels: bug, critical, security, concurrency

Metadata

Metadata

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions