Callmeiks

**Name of the Vulnerable Software and Affected Versions** New API versions prior to 0.10.8-alpha.10 **Description** The software is a large language model (LLM) gateway and artificial intelligence (AI) asset management system. A SQL LIKE wildcard injection issue exists in the `/api/token/search` endpoint. Authenticated users can cause a denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, ` `). This allows attackers to inject patterns that trigger expensive database queries. The issue can lead to database CPU usage spikes, application memory exhaustion, and blocked legitimate user requests. A proof-of-concept (PoC) demonstrates that submitting a request with a malicious pattern like `% % % % % %` can overwhelm the database and render the application unavailable. The vulnerability is present in the `model/token.go:70` file. **Recommendations** Versions prior to 0.10.8-alpha.10: Escape LIKE wildcards using a function like `escapeLike()` to properly handle wildcard characters in the `keyword` and `token` parameters. Versions prior to 0.10.8-alpha.10: Implement user-level rate limiting to restrict the number of requests per user per minute. Versions prior to 0.10.8-alpha.10: Add a query timeout to prevent long-running queries from exhausting database resources.