This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
Summary
AI summarybulk_sigma_rule_lookup now costs 1 credit per rule_id, changing quota usage and adding skipped_due_to_rate_limit handling.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
`sanitize_echo` now strips CRLF, bidi-override, and HTML metachars from echoed `rule_id` in error results. `sanitize_echo` now strips CRLF, bidi-override, and HTML metachars from echoed `rule_id` in error results. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Breaking | High |
`bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call. `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Low |
`BulkSigmaRuleLookupResponse` includes new fields: `processed` (int) and `skipped_due_to_rate_limit` (list[str]). `BulkSigmaRuleLookupResponse` includes new fields: `processed` (int) and `skipped_due_to_rate_limit` (list[str]). Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Deprecation | Low |
Removed false claim of Free 10 / Pro 50 bulk-cap; all bulk endpoints cap at 50 ids for both tiers. Removed false claim of Free 10 / Pro 50 bulk-cap; all bulk endpoints cap at 50 ids for both tiers. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
Full changelog
⚠️ Behavior change — read before upgrading
bulk_sigma_rule_lookup now consumes 1 credit per rule_id (was a flat 1 credit/call regardless of batch size), bringing it to parity with bulk_cve_lookup / bulk_ioc_lookup. A 50-id sigma batch now costs 50 quota units (Free 30/hr · Pro 500/hr), not 1. Ids beyond the caller's remaining quota now land in the new skipped_due_to_rate_limit field instead of the batch being processed for free. Clients that batched large sigma lookups expecting flat cost should re-check quota budgeting.
Schema (additive, wire-compatible)
BulkSigmaRuleLookupResponse gains processed (int) and skipped_due_to_rate_limit (list[str]). Existing clients that ignore unknown fields are unaffected. No DB migration; cache auto-invalidates via the VERSION-prefixed key.
Security
sanitize_echo is now applied to the echoed rule_id in invalid_format / not_found result items (reflected-echo hardening — CRLF / bidi-override / HTML metachars stripped), matching the v1.27 IOC precedent.
Docs / MCP contract correctness
Removed the false "Free 10 / Pro 50" bulk-cap claim everywhere it had drifted. All bulk endpoints cap at 50 ids for both tiers; the only per-tier difference is the hourly quota. Cleaned across tool-selection-guide, ENDPOINTS, agent-card, the MCP tool inputSchema + docstring, 6 MCP error messages (cve/atlas/ioc/deps/sigma), and the Node SDK README.
Quality
+2 sigma bulk tests (partial-fill-when-quota-low, skipped-ids-sanitized) -> 2463 pytest green; ruff + pip-audit clean. 2-round dual-agent (code + security) review, all HIGH/MED closed. Counts unchanged: 53 MCP tools / 7 Resources / 3 Prompts.
Follows v1.33.10.
Breaking Changes
- `bulk_sigma_rule_lookup` pricing changed to 1 credit per rule_id (previously flat 1 credit per call)
- Ids exceeding remaining quota are now placed in `skipped_due_to_rate_limit` instead of being processed for free
Security Fixes
- `sanitize_echo` applied to echoed `rule_id` fields, stripping CRLF/bidi‑override/HTML metachars (hardening)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About UPinar/contrastapi
Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.
Related context
Beta — feedback welcome: [email protected]