[mjfisher]

How could that possibly, ever have made it through. Every single API for every single service didn't check the JWT?

[maciekkmrk]

It started as internal service where you need to be connected with a VPN so why bother with security.

[Ekaros]

Vibe coding? Just have LLM make it and then press merge?

[himata4113]

Eh, ironically this is an easy mistake to make for a human especially around how middleware is handled in express or other nodejs libraries, it's the reason why so so many of the vulnerabilities come from node based apps. Python has similar footguns as well with undefined objects failing open. Typescript has somewhat mitigated these for node, but there is no real fix for python other than skipping libraries that allow failing open.

[BobDaHacker]

Yeah I see this type of crap often honestly, especially at big companies.