From 4ab532b9aa874c3744447595a34d23c41050407a Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Tue, 12 May 2026 16:43:15 +1200
Subject: [PATCH] Security: Fix concurrent map read & write in proxy CSS
 rewriter (GHSA-w4vj-r5pg-3722)

---
 server/handlers/proxy.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handlers/proxy.go b/server/handlers/proxy.go
index 39759cc..d6bb779 100644
--- a/server/handlers/proxy.go
+++ b/server/handlers/proxy.go
@@ -213,14 +213,14 @@ func ProxyHandler(w http.ResponseWriter, r *http.Request) {
 			}
 
 			// store asset address against message ID
+			assetsMutex.Lock()
 			if result, ok := assets[id]; ok {
 				if !tools.InArray(address, result.Assets) {
-					assetsMutex.Lock()
 					result.Assets = append(result.Assets, address)
 					assets[id] = result
-					assetsMutex.Unlock()
 				}
 			}
+			assetsMutex.Unlock()
 
 			// encode with base64 to handle any special characters and group message ID with URL
 			encoded := base64.StdEncoding.EncodeToString([]byte(id + ":" + address))