Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
80 of your 559 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 13.82s · analysis 89.33s · 18.5 MB · GitHub API rate-limit (preflight)

streamplace/streamplace

https://github.com/streamplace/streamplace · scanned 2026-06-05 17:38 UTC (4 days, 21 hours ago) · 10 languages

853 raw signals (485 security + 368 graph) 3rd percentile · Go · large (100-500K LoC) System graph score 67 (lower by 14)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 21 hours ago · v2 · 563 actionable findings from 2 signal sources. 105 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
60.0
/100
Security checks
53
404 findings
System graph
67
100.0% cov · 159 findings
Critical
14
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 20.1 0.25 5.03
testing_score 40.0 0.20 8.00
documentation_score 60.0 0.15 9.00
practices_score 80.0 0.15 12.00
code_quality 65.1 0.10 6.51
Overall 1.00 53.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 14 High 235 Medium 97 Low 168 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 404 System graph 159 Crowd 0 Layer: Quality 60 Security 36 Software 387 Cicd 4 Api 1 Frontend 75
Scan summary Quality grade C- (53/100). Dimensions: security 20, maintainability 85. 485 findings (346 security). 141,182 lines analyzed.

Showing 512 of 563 actionable findings. 668 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
pkg/spxrpc/storage.go:46
critical Security checks security secrets conf 0.95 6 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
6 files, 6 locations
Cargo.lock:1005
docker/mistserver.json:4
js/docs/src/content/docs/video-metadata/c2pa-integration.md:150
pkg/atproto/atproto_test.go:118
pkg/vod/process.go:446
rust/iroh-streamplace/Cargo.lock:550
critical Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-m7jm-9gc2-mpf2
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
pnpm-lock.yaml
critical Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GHSA-v725-9546-7q7m
go-git has an Argument Injection via the URL field
go.mod
critical Security checks software dependencies conf 0.88 github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm
Memory-safety vulnerability in github.com/jackc/pgx/v5.
go.mod
critical Security checks software dependencies conf 0.88 google.golang.org/grpc: GHSA-p77j-4mvh-x3m3
gRPC-Go has an authorization bypass via missing leading slash in :path
go.mod
critical Security checks software dependencies conf 0.88 handlebars: GHSA-2w6w-674q-4c4q
Handlebars.js has JavaScript Injection via AST Type Confusion
pnpm-lock.yaml
critical Security checks security secrets conf 0.95 3 occurrences Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
3 files, 3 locations
localhost-key.pem:1
pkg/crypto/signers/eip712/eip712test/eip712test.go:59
pkg/notifications/firebase_test.go:14
critical Security checks software dependencies conf 0.88 protobufjs: GHSA-xq3m-2v4x-88gg
Arbitrary code execution in protobufjs
pnpm-lock.yaml
critical Security checks security secrets conf 0.95 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
Gitleaks detected a committed secret or credential pattern.
js/app/google-services.json:18
critical System graph security Secrets conf 1.00 Possible secret in js/dev-env/lib/constants.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
js/dev-env/lib/constants.ts:1
critical System graph security Secrets conf 1.00 Possible secret in util/mac-codesign.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
util/mac-codesign.sh:16
high Security checks software dependencies conf 0.88 @hapi/content: GHSA-36hh-x5p5-jgc8
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @hapi/content: GHSA-jg4p-7fhp-p32p
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-2v35-w6hq-6mfw
xmldom: Uncontrolled recursion in XML serialization leads to DoS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h
xmldom has XML injection through unvalidated DocumentType serialization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-j759-j44w-7fr8
xmldom has XML node injection through unvalidated comment serialization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-x6wf-f3px-wcqx
xmldom has XML node injection through unvalidated processing instruction serialization
pnpm-lock.yaml
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /clip/:did/clip.mp4.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /clip/:did/clip.mp4.
pkg/api/api_internal.go:542
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /player-report/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /player-report/:id.
pkg/api/api_internal.go:279
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /segment/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /segment/:id.
pkg/api/api_internal.go:300
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /test/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /test/:id.
pkg/api/api.go:174
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /http-pipe/:uuid.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /http-pipe/:uuid.
pkg/api/api_internal.go:194
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /settings/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /settings/:id.
pkg/api/api_internal.go:487
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
pkg/cmd/combine.go:38
high Security checks quality Quality conf 1.00 [SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0).
Use placeholders: `db.Query("SELECT ... WHERE id = ?", userID)`.
pkg/statedb/statedb.go:174
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
js/components/src/components/mobile-player/webrtc-diagnostics.tsx:39
high Security checks software Xss conf 1.00 3 occurrences [SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS.
Use `django.utils.html.format_html("<p>{}</p>", user_input)` — Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals.
3 files, 3 locations
pkg/aqtime/aqtime.go:77
pkg/media/clip_user.go:37
pkg/media/mkv_ingest.go:110
high Security checks software dependencies conf 0.88 atomic-polyfill: RUSTSEC-2023-0089
atomic-polyfill is unmaintained
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 atomic-polyfill: RUSTSEC-2023-0089
atomic-polyfill is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 bincode: RUSTSEC-2025-0141
Bincode is unmaintained
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 bincode: RUSTSEC-2025-0141
Bincode is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 bytes: RUSTSEC-2026-0007
Integer overflow in `BytesMut::reserve`
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 bytes: RUSTSEC-2026-0007
Integer overflow in `BytesMut::reserve`
Cargo.lock
high Security checks software dependencies conf 0.88 cross-spawn: GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 custom_derive: RUSTSEC-2025-0058
custom_derive crate is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 defu: GHSA-737v-mqg7-c878
defu: Prototype pollution via `__proto__` key in defaults argument
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 devalue: GHSA-77vg-94rm-hx3p
Svelte devalue: DoS via sparse array deserialization
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Dockerfile FROM `ubuntu:22.04` not pinned by digest
`FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
3 files, 3 locations
docker/build.Dockerfile:2
docker/bunny.Dockerfile:1
docker/local.Dockerfile:1
high Security checks software dependencies conf 0.88 electron: GHSA-532v-xpq5-8h95
Electron: Use-after-free in offscreen child window paint callback
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 electron: GHSA-8337-3p73-46f4
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 electron: GHSA-9wfr-w7mm-pc7f
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 electron: GHSA-jjp3-mq3x-295m
Electron: Use-after-free in PowerMonitor on Windows and macOS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-xml-builder: GHSA-5wm8-gmm8-39j9
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-8gc5-j5rx-235r
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 filippo.io/edwards25519: GO-2026-4503
Invalid result or undefined behavior in filippo.io/edwards25519
go.mod
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
pnpm-lock.yaml
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 15 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `jdx/mise-action` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 15 locations
.github/workflows/build.yaml:43, 48, 61, 125 (6 hits)
.github/workflows/docker.yaml:57, 70, 107, 185, 215 (5 hits)
.github/workflows/golangci-lint.yaml:24, 37 (3 hits)
.github/workflows/sync-gitlab.yaml:9
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 21 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/add-to-project` pinned to mutable ref `@v1.0.2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
5 files, 21 locations
.github/workflows/docker.yaml:49, 101, 128, 160, 166 (10 hits)
.github/workflows/build.yaml:36, 67, 117, 121 (7 hits)
.github/workflows/golangci-lint.yaml:17 (2 hits)
.github/workflows/add-to-project.yaml:13
.github/workflows/sync-tangled.yaml:11
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 github.com/aws/aws-sdk-go: GO-2022-0635
In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
go.mod
high Security checks software dependencies conf 0.88 github.com/aws/aws-sdk-go: GO-2022-0646
CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go
go.mod
high Security checks software dependencies conf 0.88 github.com/cloudflare/circl: GO-2025-3754
CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl
go.mod
high Security checks software dependencies conf 0.88 github.com/cloudflare/circl: GO-2026-4550
CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl
go.mod
high Security checks software dependencies conf 0.88 github.com/consensys/gnark-crypto: GO-2025-4087
Unchecked memory allocation during vector deserialization in github.com/consensys/gnark-crypto
go.mod
high Security checks software dependencies conf 0.88 github.com/docker/cli: GO-2026-4610
Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli
go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-rg2x-37c3-w2rh
Docker: Race condition in docker cp allows bind mount redirection to host path
go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-x86f-5xw2-fm2r
Docker: `PUT /containers/{id}/archive` executes container binary on the host
go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GO-2026-4883
Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GO-2026-4887
Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
go.mod
high Security checks software dependencies conf 0.88 github.com/ethereum/go-ethereum: GO-2026-4314
High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum
go.mod
high Security checks software dependencies conf 0.88 github.com/ethereum/go-ethereum: GO-2026-4315
DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum
go.mod
high Security checks software dependencies conf 0.88 github.com/ethereum/go-ethereum: GO-2026-4507
Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum
go.mod
high Security checks software dependencies conf 0.88 github.com/ethereum/go-ethereum: GO-2026-4508
Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum
go.mod
high Security checks software dependencies conf 0.88 github.com/ethereum/go-ethereum: GO-2026-4511
Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum
go.mod
high Security checks software dependencies conf 0.88 github.com/getkin/kin-openapi: GO-2025-3533
Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-billy/v5: GHSA-qw64-3x98-g7q2
go-billy has path traversal vulnerabilities
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GHSA-389r-gv7p-r3rp
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GO-2025-3367
Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GO-2026-4473
Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GO-2026-4909
Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git
go.mod
high Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GO-2026-4910
Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git
go.mod
high Security checks software dependencies conf 0.88 github.com/go-jose/go-jose/v4: GO-2026-4945
Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose
go.mod
high Security checks software dependencies conf 0.88 github.com/go-viper/mapstructure/v2: GO-2025-3787
May leak sensitive information in logs when processing malformed data in github.com/go-viper/mapstructure
go.mod
high Security checks software dependencies conf 0.88 github.com/go-viper/mapstructure/v2: GO-2025-3900
Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure
go.mod
high Security checks software dependencies conf 0.88 github.com/jackc/pgx/v5: GO-2026-4771
CVE-2026-33815 in github.com/jackc/pgx
go.mod
high Security checks software dependencies conf 0.88 github.com/pion/interceptor: GO-2025-3748
Pion Interceptor's improper RTP padding handling allows remote crash for SFU users (DoS) in github.com/pion/interceptor
go.mod
high Security checks software dependencies conf 0.88 glob: GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences go.mod replaces `github.com/ThalesGroup/crypto11` — redirects to fork `github.com/aquareum-tv/crypto11`
`replace github.com/ThalesGroup/crypto11 => github.com/aquareum-tv/crypto11` overrides the canonical dependency with a different source (redirects to fork `github.com/aquareum-tv/crypto11`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyon…
lines 4, 6, 8, 10
go.mod:4, 6, 8, 10 (4 hits)
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: GO-2026-4985
Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp
go.mod
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel/sdk: GHSA-hfvc-g4fc-pqhx
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
go.mod
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel/sdk: GO-2026-4394
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk
go.mod
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-4815
OOM from malicious IFD offset in golang.org/x/image/tiff
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-4961
Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-4962
Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-5031
Panic when reading out of bound palette index in golang.org/x/image/bmp
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-5032
Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 handlebars: GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-9cx6-37pm-9jff
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-xhpv-hc6g-r9c6
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 handlebars: GHSA-xjpj-3mr7-gcpf
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 hickory-proto: RUSTSEC-2026-0118
NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 hickory-proto: RUSTSEC-2026-0118
NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
Cargo.lock
high Security checks software dependencies conf 0.88 hickory-proto: RUSTSEC-2026-0119
CPU exhaustion during message encoding due to O(n²) name compression
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 hickory-proto: RUSTSEC-2026-0119
CPU exhaustion during message encoding due to O(n²) name compression
Cargo.lock
high Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-c7qv-q95q-8v27
Denial of service in http-proxy-middleware
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 image-size: GHSA-m5qc-5hw7-8vg7
image-size Denial of Service via Infinite Loop during Image Processing
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 instant: RUSTSEC-2024-0384
`instant` is unmaintained
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 instant: RUSTSEC-2024-0384
`instant` is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 jws: GHSA-869p-cjfg-cm3x
auth0/node-jws Improperly Verifies HMAC Signature
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 kysely: GHSA-8cpq-38p9-67gx
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lru: RUSTSEC-2026-0002
`IterMut` violates Stacked Borrows by invalidating internal pointer
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 lru: RUSTSEC-2026-0002
`IterMut` violates Stacked Borrows by invalidating internal pointer
Cargo.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-554w-wpv2-vw27
node-forge has ASN.1 Unbounded Recursion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5gfm-wpxj-wjgq
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 nodemailer: GHSA-rcmh-qjqh-p98v
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences package.json dep `rtcaudiodevice` pulled from URL/Git
`dependencies.rtcaudiodevice` = `git+https://github.com/streamplace/RTCAudioDevice.git#918e08a0f6f0818fb495a0db0b696b44d11d1336` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payl…
3 files, 5 locations
js/app/package.json:1 (2 hits)
js/config-react-native-webrtc/package.json:1 (2 hits)
js/components/package.json:1
high Security checks software dependencies conf 0.88 paste: RUSTSEC-2024-0436
paste - no longer maintained
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 paste: RUSTSEC-2024-0436
paste - no longer maintained
Cargo.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-rhx6-c78j-4q9w
path-to-regexp contains a ReDoS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 protobufjs: GHSA-66ff-xgx4-vchm
protobuf.js: Code injection through bytes field defaults in generated toObject code
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-685m-2w69-288q
protobuf.js: Denial of service through unbounded protobuf recursion
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-75px-5xx7-5xc7
protobuf.js: Code generation gadget after prototype pollution
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-jvwf-75h9-cwgg
protobuf.js: Process-wide denial of service through unsafe option paths
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 quinn-proto: RUSTSEC-2026-0037
Denial of service in Quinn endpoints
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 quinn-proto: RUSTSEC-2026-0037
Denial of service in Quinn endpoints
Cargo.lock
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
Cargo.lock
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rsa: RUSTSEC-2023-0071
Marvin Attack: potential key recovery through timing sidechannels
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-pemfile: RUSTSEC-2025-0134
rustls-pemfile is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0049
CRLs not considered authoritative by Distribution Point due to faulty matching logic
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0049
CRLs not considered authoritative by Distribution Point due to faulty matching logic
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
Cargo.lock
high Security checks software dependencies conf 0.88 serde_cbor: RUSTSEC-2021-0127
serde_cbor is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 slab: RUSTSEC-2025-0047
Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
go.mod
high Security checks software dependencies conf 0.88 tar-fs: GHSA-8cj5-5rvv-wf4v
tar-fs can extract outside the specified dir with a specific tarball
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar-fs: GHSA-vj76-c3g6-qr5v
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 time: RUSTSEC-2026-0009
Denial of Service via Stack Exhaustion
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 time: RUSTSEC-2026-0009
Denial of Service via Stack Exhaustion
Cargo.lock
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tracing-subscriber: RUSTSEC-2025-0055
Logging user input may result in poisoning logs with ANSI escape sequences
rust/iroh-streamplace/Cargo.lock
high Security checks software dependencies conf 0.88 tracing-subscriber: RUSTSEC-2025-0055
Logging user input may result in poisoning logs with ANSI escape sequences
Cargo.lock
high Security checks software dependencies conf 0.88 undici: GHSA-f269-vfmq-vjvj
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-v9p9-hfj2-hcw8
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 undici: GHSA-vrm6-8vpv-qv8q
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
pnpm-lock.yaml
high Security checks software dependencies conf 0.88 vite: GHSA-p9ff-h696-f583
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
pnpm-lock.yaml
high System graph security Secrets conf 1.00 .env file present in repo: js/app/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
medium Security checks software dependencies conf 0.88 @protobufjs/utf8: GHSA-q6x5-8v7m-xcrf
protobufjs has overlong UTF-8 decoding
pnpm-lock.yaml
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 10.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 10.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization.
pkg/upload/upload.go:351
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /http-pipe/:uuid.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /http-pipe/:uuid.
pkg/api/api_internal.go:194
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/:id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/:id.
pkg/api/api_internal.go:487
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getIssuedBadges.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getIssuedBadges.
pkg/spxrpc/stubs.go:285
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getValidBadges.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getValidBadges.
pkg/spxrpc/stubs.go:286
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBlob.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBlob.
pkg/spxrpc/stubs.go:289
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBranding.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBranding.
pkg/spxrpc/stubs.go:290
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.broadcast.getBroadcaster.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.broadcast.getBroadcaster.
pkg/spxrpc/stubs.go:292
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.config.getEnv.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.config.getEnv.
pkg/spxrpc/stubs.go:293
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.game.getGame.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.game.getGame.
pkg/spxrpc/stubs.go:294
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.media.getVideoList.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.media.getVideoList.
pkg/spxrpc/stubs.go:310
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.deleteBlob.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.deleteBlob.
pkg/spxrpc/stubs.go:288
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.updateBlob.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.updateBlob.
pkg/spxrpc/stubs.go:291
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
js/components/src/crypto-polyfill.native.tsx:7
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
js/components/src/components/mobile-player/rotation-lock.tsx:161
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
js/components/src/player-store/player-store.tsx:23
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
rust/iroh-streamplace/src/c2pa.rs:72
medium Security checks software dependencies conf 0.88 astro: GHSA-j687-52p2-xcff
Astro: XSS in define:vars via incomplete </script> tag sanitization
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-3c8v-cfp5-9885
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-4p4r-m79c-wq3v
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-5rqw-r77c-jp79
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-9w97-2464-8783
Electron: Use-after-free in download save dialog callback
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-f3pv-wv63-48x8
Electron: Named window.open targets not scoped to the opener's browsing context
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-mwmh-mq4g-g6gr
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-r5p7-gp4j-qhrx
Electron: Incorrect origin passed to permission request handler for iframe requests
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-vmqv-hx8q-j7mg
Electron has ASAR Integrity Bypass via resource modification
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-xj5x-m3f3-5x3h
Electron: Service worker can spoof executeJavaScript IPC replies
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 electron: GHSA-xwr5-m59h-vwqr
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-gh4j-gqv2-49f6
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 fast-xml-parser: GHSA-jp2q-39xq-3w4g
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 file-type: GHSA-5v7r-6r5c-r473
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
pnpm-lock.yaml
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
js/components/src/components/chat/teleport-modal.tsx:168
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
js/app/components/live-dashboard/stream-monitor.tsx:96
medium Security checks software dependencies conf 0.88 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: GHSA-xmrv-pmrh-hhx2
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
go.mod
medium Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-vp62-88p7-qqf5
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
go.mod
medium Security checks software dependencies conf 0.88 github.com/go-chi/chi/v5: GHSA-vrw8-fxc6-2r93
chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes
go.mod
medium Security checks software dependencies conf 0.88 github.com/go-git/go-billy/v5: GHSA-m3xc-h892-ggx6
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
go.mod
medium Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GHSA-3xc5-wrhm-f963
go-git: Credential leak via cross-host redirect in smart HTTP transport
go.mod
medium Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GHSA-crhj-59gh-8x96
go-git: Crafted repositories may modify main and submodule .git directories
go.mod
medium Security checks software dependencies conf 0.88 github.com/go-git/go-git/v5: GHSA-w5pp-99ch-qj29
go-git: Malformed Git object data may cause panics or resource exhaustion
go.mod
medium Security checks software dependencies conf 0.88 github.com/ipld/go-ipld-prime: GHSA-378j-3jfj-8r9f
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers
go.mod
medium Security checks software dependencies conf 0.88 github.com/ipld/go-ipld-prime: GHSA-w239-58x2-q8p5
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth
go.mod
medium Security checks software dependencies conf 0.88 github.com/pion/dtls/v3: GHSA-9f3f-wv7r-qc8r
Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key
go.mod
medium Security checks software dependencies conf 0.88 h3: GHSA-4hxc-9384-m385
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 h3: GHSA-72gr-qfp7-vwhw
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 handlebars: GHSA-2qvq-rjwj-gvw9
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 handlebars: GHSA-7rx3-28cr-v5wh
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-4www-5p9h-95mh
http-proxy-middleware can call writeBody twice because "else if" is not used
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 http-proxy-middleware: GHSA-9gqv-wp59-fq42
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 i18next-http-backend: GHSA-q89c-q3h5-w34g
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
pnpm-lock.yaml
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
js/app/components/mobile-app-banner.tsx:43

Showing first 300 of 512. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/f11a2d98-be47-4315-afef-70785f2a4ae6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/f11a2d98-be47-4315-afef-70785f2a4ae6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.