AIKIDO-2026-10409
github.com/thomaspoignant/go-feature-flag is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
github.com/thomaspoignant/go-feature-flagTL;DR
The relay proxy's admin endpoints (e.g. POST /admin/v1/retriever/refresh) use KeyAuthExtended middleware with a config that can have a nil ErrorHandler when defaults from echo's DefaultKeyAuthConfig are used. When a request is sent with an invalid or missing X-API-Key, validateXAPIKey calls config.ErrorHandler without a nil check, causing a nil pointer dereference panic and process crash. An attacker who can reach the admin API can trigger this with a single request, causing denial of service. The fix adds nil checks before invoking ErrorHandler and explicitly sets AuthMiddlewareErrHandler on the admin route group so invalid keys return 401 Unauthorized instead of panicking.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/thomaspoignant/go-feature-flag is vulnerable to Denial of Service (DoS) in versions 1.49.0 - 1.51.2.
How to fix this
Upgrade the github.com/thomaspoignant/go-feature-flag library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant