Affected: v0.0.1
Fixed: v0.0.2

1. WebSocket Origin Bypass

   • Location: node/main.go:93 and api/main.go:119
   • Issue: CheckOrigin: func(r *http.Request) bool { return true }
   • Impact: Any website can connect to WebSocket endpoints

2. CORS Wildcard Configuration

   • Location: API CORS middleware
   • Issue: Accepts requests from all origins (*)
   • Impact: Cross-origin requests allowed from any domain

3. Missing Rate Limiting

   • Location: Authentication endpoints
   • Issue: No limits on login attempts
   • Impact: Brute force attacks possible

• WebSocket connections now validate origin against configured endpoints
• CORS properly validates allowed origins
• Rate limiting added to login endpoint (30 requests/minute per IP)

Immediately upgrade from v0.0.1 to v0.0.2

• JWT-based authentication
• Role-based access control (user/admin/sys)
• Password hashing with bcrypt
• WebSocket origin validation
• Rate limiting on authentication
• Secure CORS configuration

Change immediately after installation:

• Username: admin
• Password: admin

Report security vulnerabilities privately to the maintainers rather than creating public issues.