← Legacy view v2 (rp.*)

medusajs/medusa

https://github.com/medusajs/medusa.git · lang: typescript · LOC: · source: both

Quality
78.5
Grade B+
Security
100.0
Findings
59
1 critical · 3 high
Status
completed
May 17, 2026 19:53
low: 38 medium: 17 high: 3 critical: 1
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
JRN003 Frontend API reference is not matched by discovered backend… medium 4
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 3
AIC002 Source file name looks like an AI patch artifact low 3
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… medium 3
JRN002 Browser storage is used for session token material medium 2
AUC004 [AUC004] Admin route does not show super_admin separation: … medium 2
JRN001 Token handoff appears to use a callback URL or fragment critical 1
WEB015 Public web app has no Content Security Policy medium 1
WEB011 Public web app has no humans.txt low 1
First 59 findings (severity-sorted)
critical JRN001 Token handoff appears to use a callback URL or fragment
packages/cli/create-medusa-app/src/utils/project-creator/medusa-project-creator.ts:194 · conf 0.88 
Token handoff appears to use a callback URL or fragment
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/dashboard/src/components/common/file-upload/file-upload.tsx:88 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/dashboard/src/routes/orders/order-detail/components/order-fulfillment-section/order-fulfillment-section.tsx:419 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/admin/dashboard/src/routes/product-tags/product-tag-list/loader.ts:14 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
medium AIC001 Parallel implementation file sits beside a canonical file
packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer-old.ts:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
www/apps/api-reference/app/base-specs/route.ts:9 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
www/apps/api-reference/app/tag/route.ts:4 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
www/apps/api-reference/app/download/[area]/route.ts:11 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
www/apps/api-reference/app/schema/route.ts:5 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
www/apps/resources/app/api/references/[...slug]/route.ts:20 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cli/medusa-cli/scripts/postinstall.js:16 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium JRN002 Browser storage is used for session token material
packages/core/js-sdk/src/client.ts:366 · conf 0.82 
Browser storage is used for session token material
medium JRN002 Browser storage is used for session token material
packages/core/js-sdk/src/client.ts:370 · conf 0.82 
Browser storage is used for session token material
medium JRN003 Frontend API reference is not matched by discovered backend routes
www/packages/docs-ui/src/constants.tsx:320 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
www/packages/docs-ui/src/constants.tsx:326 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
www/packages/remark-rehype-plugins/src/change-links-md.ts:13 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
www/packages/remark-rehype-plugins/src/change-links-md.ts:14 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium SEC007 Unsafe Deserialization
packages/cli/oas/medusa-oas-cli/src/utils/yaml-utils.ts:6 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC002 Source file name looks like an AI patch artifact
packages/core/core-flows/src/customer/steps/utils/unset-address-for-update.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
packages/core/utils/src/common/deep-copy.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
packages/modules/order/src/utils/actions/item-update.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
integration-tests/http/jest.config.js:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/http/medusa-config.js:42 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/jest.config.js:25 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/modules/jest.config.js:6 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/modules/jest.config.js:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/modules/medusa-config.ts:168 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
integration-tests/modules/src/utils/providers/fulfillment-manual-calculated/services/manual-fulfillment.ts:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-forms.ts:67 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-links.ts:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-links.ts:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/admin-vite-plugin/src/routes/generate-routes.ts:61 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/common/logo-box/logo-box.tsx:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/data-grid/components/data-grid-number-cell.tsx:16 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/data-grid/components/data-grid-text-cell.tsx:9 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/data-grid/components/data-grid-text-cell.tsx:11 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/data-grid/components/data-grid-toggleable-number-cell.tsx:19 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/layout/pages/two-column-page/two-column-page.tsx:24 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/layout/settings-layout/settings-layout.tsx:231 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/layout/user-menu/user-menu.tsx:180 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/layout/user-menu/user-menu.tsx:220 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/data-table/data-table-filter/number-filter.tsx:133 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/data-table/data-table-filter/string-filter.tsx:66 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/data-table/data-table-order-by/data-table-order-by.tsx:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/data-table/data-table-search/data-table-search.tsx:24 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/table-cells/common/date-cell/date-cell.tsx:9 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/table-cells/common/status-cell/status-cell.tsx:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/table-cells/sales-channel/name-cell/name-cell.tsx:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/components/table/view-selector/view-selector.tsx:51 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/hooks/api/collections.tsx:3 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
packages/admin/dashboard/src/hooks/api/exchanges.tsx:165 · conf 0.86 
Duplicated implementation block across source files
low AIC005 Duplicate top-level symbol appears in a patch-style file
packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer-old.ts:1 · conf 0.64 
Duplicate top-level symbol appears in a patch-style file
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5f88f9b1-bad0-4cff-861c-da0f06324fff/.