#integer overflow

New-api fixes billing integer overflow vulnerability

github.com · ⭐️ 8/10 · 2026-07-07

8/10

The new-api project has released two commits that add boundary checks and saturation arithmetic to prevent integer overflow in quota calculations, which could cause negative charges. This fix addresses a severe billing vulnerability that could allow users to artificially gain credits by triggering negative deductions, impacting any deployment using new-api for metering or billing. It underscores the importance of robust input validation in financial logic. The vulnerability stemmed from missing validation on user-controllable parameters in quota calculation; when oversized values caused integer overflow, deductions became negative. The fix introduces upper-bound validation and saturation arithmetic that clamps results to the maximum representable value instead of wrapping around.