Skip to content

Tt 16809 pump generate mcp analytics #954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrei-tyk merged 27 commits into from
Apr 24, 2026

Merge branch 'master' into TT-16809-Pump-generate-mcp-analytics

98ca874
Select commit
Loading
Failed to load commit list.
Merged

Tt 16809 pump generate mcp analytics #954

Merge branch 'master' into TT-16809-Pump-generate-mcp-analytics
98ca874
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security succeeded Apr 17, 2026 in 46s

✅ Check Passed (Warnings Found)

security check passed. Found 1 warning, but fail_if condition was not met.

Details

📊 Summary

  • Total Issues: 1
  • Warning Issues: 1

🔍 Failure Condition Results

Passed Conditions

  • global_fail_if: Condition passed

Issues by Category

Security (1)

  • ⚠️ analytics/aggregate_mcp.go:153 - The MCP analytics aggregation logic uses fields like JSONRPCMethod, PrimitiveType, and PrimitiveName from incoming analytics records as keys for in-memory maps. These records originate from an upstream source (e.g., Tyk Gateway). If an attacker can craft requests that generate a high number of unique values for these fields (high cardinality), it can lead to unbounded growth of these maps. This can cause excessive memory consumption in the Tyk Pump, leading to performance degradation or a denial-of-service (DoS) crash.

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check warning on line 163 in analytics/aggregate_mcp.go

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The MCP analytics aggregation logic uses fields like `JSONRPCMethod`, `PrimitiveType`, and `PrimitiveName` from incoming analytics records as keys for in-memory maps. These records originate from an upstream source (e.g., Tyk Gateway). If an attacker can craft requests that generate a high number of unique values for these fields (high cardinality), it can lead to unbounded growth of these maps. This can cause excessive memory consumption in the Tyk Pump, leading to performance degradation or a denial-of-service (DoS) crash.
Raw output 
To mitigate this, consider implementing a limit on the cardinality of each dimension within a single aggregation window. A configurable threshold could be introduced for the maximum number of unique methods, primitives, and names to be tracked per API. Once the threshold is reached, subsequent new values could be ignored, logged, or grouped into a generic "other" category. This would prevent uncontrolled memory growth and protect the pump from resource exhaustion attacks.
View more details on probelabs