// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
critical # race-condition Python CVE-2024-49768
TOCTOU Race in HTTP Pipelining
Waitress's pipelined request handler checks connection state before processing but re-reads it after — a race window lets an attacker smuggle a second request as the authenticated identity of the first.
Before / after code snippet
Before (vulnerable)
# BEFORE (vulnerable)
if self.request_count > 0:
    # ... time passes, state may change ...
    self.handle_request(request)  # uses stale identity
After (fixed)
# AFTER (fixed)
with self._lock:
    if self.request_count > 0:
        self.handle_request(request)
CVSS 9.1 CWE-362 Nov 2024 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →