UPinar/contrastapi

v1.33.12 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 15d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Updates Tests, Follows, and Fold-in across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Dependency	Medium	CodeQL issues #111, #112, #113 resolved with intent comments in `app/db.py` cleanup blocks. CodeQL issues #111, #112, #113 resolved with intent comments in `app/db.py` cleanup blocks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Performance	Medium	Removed pool slot leaks, improving response times from ~13s/5s intermittent 504s to ~0.5s 200 responses. Removed pool slot leaks, improving response times from ~13s/5s intermittent 504s to ~0.5s 200 responses. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Restores `/v1/tech`, `/v1/scan/headers`, `/v1/domain` endpoints after v1.33.8 regression causing intermittent 504s. Restores `/v1/tech`, `/v1/scan/headers`, `/v1/domain` endpoints after v1.33.8 regression causing intermittent 504s. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Wrapped `full_domain_report` await chain in try/finally to cancel and drain orphan tasks on early raise. Wrapped `full_domain_report` await chain in try/finally to cancel and drain orphan tasks on early raise. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Refactor	Medium	Refactored `fetch_live_headers` to sequential HTTPS-first / HTTP-fallback, eliminating race-and-cancel pool leak. Refactored `fetch_live_headers` to sequential HTTPS-first / HTTP-fallback, eliminating race-and-cancel pool leak. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Other	Medium	Added `TestFetchLiveHeadersSequential` (3 tests) and `TestFullDomainReportOrphanCleanup` (1 test). Added `TestFetchLiveHeadersSequential` (3 tests) and `TestFullDomainReportOrphanCleanup` (1 test). Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Hotfix on v1.33.11 — restores `/v1/tech`, `/v1/scan/headers`, `/v1/domain`

A regression of the v1.33.8 _ssrf_http pool-leak class was observed in production
(36-minute PoolTimeout cluster on worker 2805645, 19 May 22:02 UTC) causing
intermittent 504s on three domain-intelligence endpoints. v1.33.10 only suppressed
the "Task exception was never retrieved" log noise; the underlying slot leak
remained. v1.33.12 closes both root causes.

Fixes

fetch_live_headers race-and-cancel leak (primary): parallel HTTPS+HTTP
.get() race cancelled the losing task mid-flight; httpcore never returned the
pool slot. Refactored to sequential HTTPS-first / HTTP-fallback, mirroring the
v1.33.7 fetch_live_page pattern. No second task, no cancel, slot always
returned.
full_domain_report orphan-task storm (amplifier): when an early await
raised (e.g. f_subs TimeoutError on slow crt.sh), the trailing
create_task handles (f_certs, f_threat, f_whois, f_ab, f_sh,
f_headers) were never awaited or cancelled — they leaked into the event
loop and held pool slots. Wrapped the await chain in try/finally that
cancels + drains any pending task on exit. WAF detection moved inside the
guarded scope so f_headers is read before cleanup cancels it.

Status-code change for affected paths

| Endpoint | Pre (v1.33.11) | Post (v1.33.12) |
|---|---|---|
| /v1/tech/{domain} | 504 ~13s (intermittent) | 200 ~0.5s |
| /v1/scan/headers/{domain} | 504 ~5s (intermittent) | 200 ~0.5s |
| /v1/domain/{domain} | 504 (intermittent under load) | 200 |

No request/response shape change; only the failure mode is removed.

Tests

TestFetchLiveHeadersSequential (3) — happy-path call_count=1, HTTP fallback ordering, both-fail error dict.
TestFullDomainReportOrphanCleanup (1) — early-timeout regression, asserts no orphan tasks remain after exception unwind.
Full suite: 2463 → 2467 passed.

Fold-in

CodeQL #111/#112/#113 (Empty-except): added intent comments inside the three
PRAGMA busy_timeout=5000 reset blocks in app/db.py — the unit-cleanup path
must never mask the unit's primary error.

Follows

v1.33.11 (sigma bulk per-item quota + reflected-echo fix)
v1.33.10 (GHSA delta-sync self-pin fix + S253 resilience batch)
v1.33.8 (pattern-B streaming-cancel pool-leak hardening — original S253 close)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.