Fix stack overflow DoS in package edit/delete routes #136

ayushch80 · 2026-01-02T20:05:32Z

This PR fixes an issue where error paths in the package edit and delete routes could trigger infinite recursion, leading to a stack overflow and crashing the server.

Routes affected

/packages/:name/edit
/packages/:name/delete

Problem

src/package.v

	pkg := app.packages().get(name) or {
		app.error(err.msg())
		return app.edit(name) // this is called recursively
	}

Fix

Respond with status code 404 and an error message

	pkg := app.packages().get(name) or {
		app.set_status(404, '')
		return app.text(err.msg())
	}

PoC

➜  curl -X GET http://localhost:8081/packages/somepackage/edit
curl: (52) Empty reply from server

➜  ./vpm
NOTICE:  relation "Category" already exists, skipping
NOTICE:  relation "CategoryPackage" already exists, skipping
NOTICE:  relation "Package" already exists, skipping
NOTICE:  relation "User" already exists, skipping
[Vweb] Running app on http://localhost:8081/
[Vweb] We have 1 workers
[vweb] Context.error: Found no module with name "somepackage"
[vweb] Context.error: Found no module with name "somepackage"
.
.
.
[vweb] Context.error: Found no module with name "somepackage"
[1]    21337 segmentation fault  ./vpm

fix: remove recursive error handling causing stack overflow DoS

7151303

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix stack overflow DoS in package edit/delete routes #136

Fix stack overflow DoS in package edit/delete routes #136

Uh oh!

ayushch80 commented Jan 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Fix stack overflow DoS in package edit/delete routes #136

Are you sure you want to change the base?

Fix stack overflow DoS in package edit/delete routes #136

Uh oh!

Conversation

ayushch80 commented Jan 2, 2026

Routes affected

Problem

Fix

PoC

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant