sentinel
#482 · feat/session-cleanup
PR #482
fix: resolve memory leak in session handler
feat/session-cleanup priya.chen · 2 files
src/deps/package.json +1-0
1
{
2
"dependencies": {
3
"lodash": "^4.17.21",
4
+
"openssl": "^3.0.8"⚑ CVE-2024-28849
5
"axios": "^1.6.0"
6
}
7
}
src/session/handler.ts +3-1
44
export function createSessionHandler(userId: string) {
45
const session = createSession(userId);
46
sessionStore.set(session.id, session);
47
-
let timer = setInterval(() => refresh(session), 5000);
47
+
const timer = setInterval(() => refresh(session), 5000);
48
+
session.on('destroy', () => clearInterval(timer));
49
+
session.register(openssl.createContext());
50
return session;
51
}
Checks
1 blocked
deps cve licenses secrets
3 of 4 checks complete · 1 blocked
Results
Dependency scan
lodash · axios · 12 others
passed
What ran
14 direct dependencies checked against NVD and OSV advisory databases. No known vulnerabilities found.
Actions
queried NVD · queried OSV · checked version pinning
CVE check
openssl@3.0.8 · CVE-2024-28849
blocked
Vulnerability
CVE-2024-28849
HTTP request smuggling in openssl@3.0.8. Affects servers that proxy requests from untrusted clients to backend services.
Confidence
moderate
Limited public exploit data exists for this CVE in non-public-facing configurations.
Prior decision on this org

CVE-2024-28849 was overridden on payments-service. Reason logged: isolated network, no external request routing.

Why merge is blocked
Policy P-12: CVEs scoring above 6.5 require review before merge. This CVE scores 7.2.
Override this block
License audit
MIT · Apache-2.0 · all 15 clear
passed
What ran
15 packages checked against the org license allowlist. No copyleft or restricted licenses detected.
Secrets scan
3 files scanned · nothing found
passed
What ran
Pattern and entropy detection across 3 changed files. No API keys, tokens, or private keys found.
Override recorded · merge unblocked
Accuracy · this repo 87% · 47 runs
2 prior overrides · 0 retroactive failures
Override · CVE check · #482
Why does CVE-2024-28849 not apply here?
packageopenssl@3.0.8 cveCVE-2024-28849 cvss7.2 · High policyP-12 · review required confidencemoderate
Audit record
recorded on submission
actionoverride · CVE-2024-28849
authorpriya.chen
pr#482 · feat/session-cleanup
time
reasonwaiting for input
I understand this override creates a permanent record tied to my account. If this CVE is later confirmed exploitable in this context, this decision will surface in the retrospective.
scenario: priya.chen · blocked deploy · thursday 4:40pm