codenav

The server uses `CORSMiddleware` with `allow_origins=["*"]`, which is a critical security vulnerability for any publicly accessible API, enabling Cross-Site Scripting (XSS) attacks. The `RedisSerializer` has a fallback to `pickle.dumps`/`pickle.loads` if `msgpack` or `json` are not available. Unpickling untrusted data is a known remote code execution (RCE) vulnerability. While used internally, a compromise of Redis could lead to RCE. The HTTP server binds to `0.0.0.0` by default, exposing it to all network interfaces, which is dangerous in production without strict firewalling. The CDC manager publishes graph mutations to Redis Streams, which could be a data exfiltration risk if Redis is externally exposed without proper authentication/authorization. There's no explicit input sanitization on graph query parameters beyond FastAPI/Pydantic's basic validation, which could open doors to injection if not carefully implemented in the analysis engine.