CVE-2026-28412 was addressed upstream in 3524fa96 ("Merge commit from fork"). Looking at Textream/Textream/DirectorServer.swift on main, none of the protections from that commit appear to have landed:
- no
private let maxConnections = 5 field, and handleWSConnection still appends to wsConnections unconditionally --- a client can keep opening WS connections until resources are exhausted (CWE-400).
- no
authenticatedConnections: Set<ObjectIdentifier> set, no authToken, no auth handshake at all in this file. broadcast(_:) iterates wsConnections directly with no authenticatedConnections.contains(...) filter, so any peer that completes the WS upgrade receives DirectorState payloads (live transcribed text, audio levels, etc.).
broadcast runs on the main queue (conn.start(queue: .main) is the only queue mentioned) --- the upstream patch introduces a dedicated broadcastQueue precisely so big fan-out doesn't stall the UI thread.
Three independent gaps, all in one file --- the upstream commit is essentially a self-contained fix. Reported via port-credit-hunting.
CVE-2026-28412 was addressed upstream in
3524fa96("Merge commit from fork"). Looking atTextream/Textream/DirectorServer.swiftonmain, none of the protections from that commit appear to have landed:private let maxConnections = 5field, andhandleWSConnectionstill appends towsConnectionsunconditionally --- a client can keep opening WS connections until resources are exhausted (CWE-400).authenticatedConnections: Set<ObjectIdentifier>set, noauthToken, no auth handshake at all in this file.broadcast(_:)iterateswsConnectionsdirectly with noauthenticatedConnections.contains(...)filter, so any peer that completes the WS upgrade receivesDirectorStatepayloads (live transcribed text, audio levels, etc.).broadcastruns on the main queue (conn.start(queue: .main)is the only queue mentioned) --- the upstream patch introduces a dedicatedbroadcastQueueprecisely so big fan-out doesn't stall the UI thread.Three independent gaps, all in one file --- the upstream commit is essentially a self-contained fix. Reported via port-credit-hunting.