https://github.com/unslothai/unsloth ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
SEC020 Secret Printed to Logs |
high | 4 |
SEC005 Command Injection Risk |
high | 4 |
SEC015 Insecure Randomness for Security |
medium | 4 |
SEC011 Unsafe PyTorch Model Loading |
medium | 2 |
SEC017 Unbounded Input to LLM/External API |
medium | 1 |
SEC019 Raw Authorization Token in Example |
critical | 1 |
SEC016 LLM Prompt Injection — User Input in AI Prompt |
high | 1 |
SEC006 XSS Risk |
high | 1 |
SEC002 Hardcoded API Key |
critical | 1 |
SEC013 Path Traversal — User Input in File Path |
high | 1 |
SEC005
Command Injection Risk
unsloth/_gpu_init.py:294
· conf 0.80
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC005
Command Injection Risk
unsloth/tokenizer_utils.py:1692
· conf 0.80
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC013
Path Traversal — User Input in File Path
studio/install_llama_prebuilt.py:853
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC016
LLM Prompt Injection — User Input in AI Prompt
unsloth/chat_templates.py:1793
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC020
Secret Printed to Logs
unsloth/chat_templates.py:1921
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC005
Command Injection Risk
unsloth/save.py:1137
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC011
Unsafe PyTorch Model Loading
unsloth/models/_utils.py:1899
· conf 1.00
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.SEC011
Unsafe PyTorch Model Loading
unsloth/save.py:872
· conf 1.00
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.SEC017
Unbounded Input to LLM/External API
unsloth/chat_templates.py:1793
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC006
XSS Risk
studio/frontend/src/components/shutdown-dialog.tsx:54
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC019
Raw Authorization Token in Example
studio/frontend/src/features/settings/components/usage-examples.tsx:48
· conf 0.20
[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live token…SEC002
Hardcoded API Key
studio/frontend/src/features/settings/components/usage-examples.tsx:58
· conf 0.15
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC005
Command Injection Risk
[SEC005] Command Injection Risk (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC015
Insecure Randomness for Security
[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC015
Insecure Randomness for Security
studio/frontend/src/components/app-sidebar.tsx:145
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
studio/frontend/src/components/ui/sidebar.tsx:663
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
studio/frontend/src/main.tsx:22
· conf 0.15
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC020
Secret Printed to Logs
unsloth/import_fixes.py:524
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
unsloth/save.py:684
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/098a2aee-fee1-458b-bcaa-d4f661adc5a3/.