4 Critical
Critical-severity findings across all ecosystems.
Security Audit Report
Security Audit Report
Section titled “Security Audit Report”Severity Overview
Section titled “Severity Overview”52 High
High-severity findings across all ecosystems.
72 Medium
Medium-severity findings across all ecosystems.
34 Low
Low-severity findings across all ecosystems.
Ecosystem Breakdown
Section titled “Ecosystem Breakdown”npm
83 advisories
Cargo
48 advisories
Python
0 advisories
CodeQL
61 alerts
Dependabot
0 alerts
Severity Distribution
Section titled “Severity Distribution”pie showData
title Findings by Severity
"Critical" : 4
"High" : 52
"Medium" : 72
"Low" : 34
Findings by Ecosystem
Section titled “Findings by Ecosystem”pie showData
title Findings by Ecosystem
"npm" : 83
"Cargo" : 48
"CodeQL" : 61
| Ecosystem | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
| npm | 2 | 34 | 39 | 8 | 83 |
| Cargo | 0 | 0 | 18 | 0 | 48 |
| Python | 0 | 0 | 0 | 0 | 0 |
| CodeQL | 2 | 18 | 15 | 26 | 61 |
| Dependabot | 0 | 0 | 0 | 0 | 0 |
| Total | 4 | 52 | 72 | 34 | 192 |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Critical | vitest | When Vitest UI server is listening, arbitrary file can be… | Details |
| Critical | shell-quote | shell-quote quote() does not escape newlines in object .o… | Details |
| High | glob | glob CLI: Command injection via -c/—cmd executes matches… | Details |
| High | rollup | Rollup 4 has Arbitrary File Write via Path Traversal | Details |
| High | koa | Koa has Host Header Injection via ctx.hostname | Details |
| High | serialize-javascript | Serialize JavaScript is Vulnerable to RCE via RegExp.flag… | Details |
| High | svgo | SVGO DoS through entity expansion in DOCTYPE (Billion Lau… | Details |
| High | tar | tar has Hardlink Path Traversal via Drive-Relative Linkpath | Details |
| High | tar | node-tar Symlink Path Traversal via Drive-Relative Linkpath | Details |
| High | flatted | flatted vulnerable to unbounded recursion DoS in parse() … | Details |
| High | flatted | Prototype Pollution via parse() in NodeJS flatted | Details |
| High | path-to-regexp | path-to-regexp vulnerable to Regular Expression Denial of… | Details |
| High | picomatch | Picomatch has a ReDoS vulnerability via extglob quantifiers | Details |
| High | lodash | lodash vulnerable to Code Injection via _.template impo… | Details |
| High | vite | Vite: server.fs.deny bypassed with queries | Details |
| High | vite | Vite Vulnerable to Arbitrary File Read via Vite Dev Serve… | Details |
| High | immutable | Immutable is vulnerable to Prototype Pollution | Details |
| High | axios | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Prote… | Details |
| High | axios | Axios: Prototype Pollution Gadgets - Response Tampering, … | Details |
| High | axios | Axios: Header Injection via Prototype Pollution | Details |
| High | fast-uri | fast-uri vulnerable to path traversal via percent-encoded… | Details |
| High | fast-uri | fast-uri vulnerable to host confusion via percent-encoded… | Details |
| High | axios | Axios has prototype pollution read-side gadgets in HTTP a… | Details |
| High | axios | axios’s shouldBypassProxy does not recognize IPv4-mapped … | Details |
| High | devalue | Svelte devalue: DoS via sparse array deserialization | Details |
| High | axios | Axios: Regular Expression Denial of Service (ReDoS) via C… | Details |
| High | axios | Allocation of Resources Without Limits or Throttling in A… | Details |
| High | axios | Axios: Proxy-Authorization Credential Leak to Origin Serv… | Details |
| High | axios | Axios: Proxy-Authorization header leaks to redirect targe… | Details |
| High | axios | axios Vulnerable to Credential Theft and Response Hijacki… | Details |
| High | axios | axios Vulnerable to Full Man-in-the-Middle via Prototype … | Details |
| High | tmp | tmp has Path Traversal via unsanitized prefix/postfix tha… | Details |
| High | esbuild | esbuild: Missing binary integrity verification in Deno mo… | Details |
| High | ws | ws: Memory exhaustion DoS from tiny fragments and data ch… | Details |
| High | form-data | form-data: CRLF injection in form-data via unescaped mult… | Details |
| High | vite | vite: server.fs.deny bypass on Windows alternate paths | Details |
| Medium | got | Got allows a redirect to a UNIX socket | Details |
| Medium | vue-template-compiler | vue-template-compiler vulnerable to client-side Cross-Sit… | Details |
| Medium | js-yaml | js-yaml has prototype pollution in merge (<<) | Details |
| Medium | mdast-util-to-hast | mdast-util-to-hast has unsanitized class attribute | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | qs | qs’s arrayLimit bypass in its bracket notation allows DoS… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | brace-expansion | brace-expansion: Zero-step sequence causes process hang a… | Details |
| Medium | picomatch | Picomatch: Method Injection in POSIX Character Classes ca… | Details |
| Medium | yaml | yaml is vulnerable to Stack Overflow via deeply nested YA… | Details |
| Medium | yaml | yaml is vulnerable to Stack Overflow via deeply nested YA… | Details |
| Medium | lodash | lodash vulnerable to Prototype Pollution via array path b… | Details |
| Medium | vite | Vite Vulnerable to Path Traversal in Optimized Deps `.map… | Details |
| Medium | axios | Axios: Authentication Bypass via Prototype Pollution Gadg… | Details |
| Medium | axios | Axios: Invisible JSON Response Tampering via Prototype Po… | Details |
| Medium | axios | Axios: CRLF Injection in multipart/form-data body via uns… | Details |
| Medium | axios | Axios: no_proxy bypass via IP alias allows SSRF | Details |
| Medium | axios | Axios’ HTTP adapter-streamed uploads bypass maxBodyLength… | Details |
| Medium | axios | Axios: HTTP adapter streamed responses bypass maxContentL… | Details |
| Medium | axios | Axios: XSRF Token Cross-Origin Leakage via Prototype Poll… | Details |
| Medium | webpack-dev-server | webpack-dev-server vulnerable to cross-origin source code… | Details |
| Medium | ws | ws: Uninitialized memory disclosure | Details |
| Medium | serialize-javascript | Serialize JavaScript has CPU Exhaustion Denial of Service… | Details |
| Medium | uuid | uuid: Missing buffer bounds check in v3/v5/v6 when buf is… | Details |
| Medium | qs | qs has a remotely triggerable DoS: qs.stringify crashes w… | Details |
| Medium | axios | Axios: unbounded recursion in toFormData causes DoS via d… | Details |
| Medium | brace-expansion | brace-expansion: Large numeric range defeats documented `… | Details |
| Medium | lodash | Lodash has Prototype Pollution Vulnerability in _.unset… | Details |
| Medium | axios | axios has DoS & Header Injection via Prototype Pollution … | Details |
| Medium | tar | node-tar applies PAX size override to intermediary GNU lo… | Details |
| Medium | vite | launch-editor: NTLMv2 hash disclosure via UNC path handli… | Details |
| Medium | launch-editor | launch-editor: NTLMv2 hash disclosure via UNC path handli… | Details |
| Medium | js-yaml | JS-YAML: Quadratic-complexity DoS in merge key handling v… | Details |
| Medium | dompurify | DOMPurify: Hook mutation of data.allowedTags / `data.al… | Details |
| Medium | dompurify | DOMPurify: Cross-realm IN_PLACE sanitization leaves execu… | Details |
| Medium | dompurify | DOMPurify: IN_PLACE mode preserves attributes of a clobbe… | Details |
| Medium | dompurify | DOMPurify IN_PLACE Sanitization Bypass via Attached Shado… | Details |
| Low | diff | jsdiff has a Denial of Service vulnerability in parsePatc… | Details |
| Low | qs | qs’s arrayLimit bypass in comma parsing allows denial of … | Details |
| Low | axios | Axios: Null Byte Injection via Reverse-Encoding in AxiosU… | Details |
| Low | esbuild | esbuild allows arbitrary file read when running the devel… | Details |
| Low | @babel/core | @babel/core: Arbitrary File Read via sourceMappingURL Com… | Details |
| Low | dompurify | DOMPurify: IN_PLACE mode trusts attacker-controlled `no… | Details |
| Low | dompurify | DOMPurify: Trusted Types policy survives clearConfig() … | Details |
| Low | dompurify | DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressio… | Details |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Medium | hickory-proto | NSEC3 closest-encloser proof validation enters unbounded … | Details |
| Medium | hickory-proto | CPU exhaustion during message encoding due to O(n²) name … | Details |
| Medium | postgres-protocol | Unbounded SCRAM iteration count allows a malicious server… | Details |
| Medium | postgres-protocol | Panic decoding a malformed hstore value allows denial o… | Details |
| Medium | rsa | Marvin Attack: potential key recovery through timing side… | Details |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | rustls-webpki | CRLs not considered authoritative by Distribution Point d… | |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | rustls-webpki | Name constraints for URI names were incorrectly accepted | |
| Medium | rustls-webpki | Name constraints were accepted for certificates asserting… | |
| Medium | rustls-webpki | Reachable panic in certificate revocation list parsing | |
| Medium | sqlx | Binary Protocol Misinterpretation caused by Truncating or… | Details |
| Medium | steamworks | Denial of service in Steamworks game clients/servers usin… | Details |
| Medium | tokio-postgres | Panic on a DataRow with fewer fields than columns allow… | Details |
| Info | atk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | atk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | bincode | Bincode is unmaintained | Details |
| Info | derivative | derivative is unmaintained; consider using an alternative | Details |
| Info | fxhash | fxhash - no longer maintained | Details |
| Info | gdk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkwayland-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11 | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk3-macros | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | paste | paste - no longer maintained | Details |
| Info | proc-macro-error | proc-macro-error is unmaintained | Details |
| Info | proc-macro-error2 | proc-macro-error2 is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | serde_cbor | serde_cbor is unmaintained | Details |
| Info | unic-char-property | unic-char-property is unmaintained | Details |
| Info | unic-char-range | unic-char-range is unmaintained | Details |
| Info | unic-common | unic-common is unmaintained | Details |
| Info | unic-ucd-ident | unic-ucd-ident is unmaintained | Details |
| Info | unic-ucd-version | unic-ucd-version is unmaintained | Details |
| Info | diesel | Possible use after free when deserializing a SQLite datab… | Details |
| Info | glib | Unsoundness in Iterator and DoubleEndedIterator impls… | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Info | rand | Rand is unsound with a custom logger using rand::rng() | Details |
| Severity | Rule | Path | Link |
|---|---|---|---|
| Critical | rust/hard-coded-cryptographic-value | packages/rust/erust/src/supabase/integration.rs | Details |
| Critical | rust/hard-coded-cryptographic-value | packages/rust/erust/src/supabase/integration.rs | Details |
| High | rust/cleartext-transmission | apps/kbve/axum-kbve/src/db/twitch.rs | Details |
| High | rust/cleartext-transmission | apps/kbve/axum-kbve/src/db/twitch.rs | Details |
| High | rust/cleartext-transmission | apps/kbve/axum-kbve/src/db/discord.rs | Details |
| High | rust/cleartext-transmission | apps/kbve/axum-kbve/src/db/discord.rs | Details |
| High | rust/cleartext-transmission | apps/kbve/axum-kbve/src/db/mc.rs | Details |
| High | rust/non-https-url | packages/rust/kbve/src/sys/system_diagnostics.rs | Details |
| High | rust/insecure-cookie | ...ust/kbve/src/entity/response/header_response.rs | Details |
| High | rust/insecure-cookie | packages/rust/kbve/src/authentication.rs | Details |
| High | rust/insecure-cookie | packages/rust/kbve/src/authentication.rs | Details |
| High | rust/cleartext-logging | apps/mc/plugins/kbve-mc-plugin/src/lib.rs | Details |
| High | js/tainted-format-string | apps/kbve/astro-kbve/src/workers/supabase.db.ts | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | py/uninitialized-local-variable | ...n_bot/api/discord/embed/discord_status_embed.py | Details |
| High | js/xss-through-dom | apps/pydesk/templates/home.html | Details |
| Medium | js/trivial-conditional | ...tion-unobtrusive/jquery.validate.unobtrusive.js | Details |
| Medium | js/useless-assignment-to-local | apps/kbve/edge/functions/meme/index.ts | Details |
| Medium | js/useless-assignment-to-local | ...kbve/src/components/realtime/Realtime.worker.ts | Details |
| Medium | js/client-side-request-forgery | ...ve/astro-kbve/src/workers/supabase.websocket.ts | Details |
| Medium | js/log-injection | .../kbve/astro-kbve/src/workers/supabase.shared.ts | Details |
| Medium | js/log-injection | ...ve/astro-kbve/src/workers/supabase.websocket.ts | Details |
| Medium | js/missing-origin-check | apps/kbve/astro-kbve/src/workers/supabase.db.ts | Details |
| Medium | js/missing-origin-check | apps/kbve/astro-kbve/src/workers/test-worker.ts | Details |
| Medium | js/missing-origin-check | ...ve/astro-kbve/src/workers/supabase.db.simple.ts | Details |
| Medium | js/missing-origin-check | ...kbve/src/components/realtime/Realtime.worker.ts | Details |
| Medium | js/useless-assignment-to-local | apps/pydesk/templates/home.html | Details |
| Medium | js/useless-assignment-to-local | apps/pydesk/templates/home.html | Details |
| Medium | js/missing-origin-check | ...npm/droid/src/lib/workers/supabase-db-worker.ts | Details |
| Medium | py/exit-from-finally | apps/pydesk/pydesk/main.py | Details |
| Medium | py/stack-trace-exposure | apps/pydesk/pydesk/main.py | Details |
| Low | js/unused-local-variable | packages/data/codegen/generate-proto-registry.mjs | Details |
| Low | js/unused-local-variable | ...-memes/src/components/feed/ReactMemeContent.tsx | Details |
| Low | py/import-and-import-from | packages/python/fudster/fudster/cli.py | Details |
| Low | rust/unused-variable | ...e/isometric/src-tauri/src/game/scene_objects.rs | Details |
| Low | rust/unused-variable | ...e/isometric/src-tauri/src/game/scene_objects.rs | Details |
| Low | js/unused-local-variable | ...e/templates/askama/profile_not_found/index.html | Details |
| Low | js/syntax-error | ...ta/scripts/unity/WebGLTemplates/KBVE/index.html | Details |
| Low | js/unused-local-variable | ...o-kbve/src/components/user/ReactUserProfile.tsx | Details |
| Low | js/unused-local-variable | ...e/src/components/realtime/ReactSupaRealtime.tsx | Details |
| Low | js/unused-local-variable | ...e/src/components/realtime/ReactSupaRealtime.tsx | Details |
| Low | js/unused-local-variable | ...e/src/components/realtime/ReactSupaRealtime.tsx | Details |
| Low | js/unused-local-variable | ...e/src/components/realtime/ReactSupaRealtime.tsx | Details |
| Low | js/unused-local-variable | .../astro-kbve/src/components/jay/ReactJayYuki.tsx | Details |
| Low | js/unused-local-variable | .../src/components/discord/ReactDiscordProfile.tsx | Details |
| Low | rust/unused-variable | packages/rust/q/src/manager/gui_manager.rs | Details |
| Low | js/unused-local-variable | apps/pydesk/templates/home.html | Details |
| Low | js/unused-local-variable | apps/pydesk/templates/home.html | Details |
| Low | js/unused-local-variable | apps/pydesk/templates/home.html | Details |
| Low | js/unused-local-variable | apps/pydesk/templates/home.html | Details |
| Low | js/unused-local-variable | ...astro-irc/src/components/chat/ReactChatRoom.tsx | Details |
| Low | js/unused-local-variable | .github/deprecated/github-a-localtunnel/index.js | Details |
| Low | py/empty-except | ...on-bot/notification_bot/utils/health_monitor.py | Details |
| Low | py/unused-import | packages/python/kbve/kbve/proto/kbve_pb2_grpc.py | Details |
| Low | py/mixed-returns | ...on-bot/notification_bot/api/supabase/tracker.py | Details |
| Low | py/mixed-returns | ...notification_bot/api/discord/discord_service.py | Details |
| Low | py/unused-global-variable | packages/python/kbve/kbve/proto/kbve_pb2.py | Details |
Auto-generated by ci-dashboard.yml