https://github.com/modelcontextprotocol/typescript-sdk ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 10 |
AGT012 Agent control bridge may listen on a network interface with… |
medium | 6 |
MINED049 Print Pii |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED019
Ssti Jinja From String
CWE-94
packages/core/src/types/guards.ts:105
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/server/src/jsonResponseStreamableHttp.ts:85
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/server/src/resourceServerOnly.ts:76
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/server/src/simpleStatelessStreamableHttp.ts:99
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/server/src/simpleStatelessStreamableHttp.ts:141
· conf 0.80
[MINED113] Express DELETE /mcp has no auth: Express route DELETE /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/server/src/standaloneSseWithGetStreamableHttp.ts:50
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/middleware/hono/test/hono.test.ts:69
· conf 0.80
[MINED113] Express POST /echo has no auth: Express route POST /echo declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/middleware/hono/test/hono.test.ts:82
· conf 0.80
[MINED113] Express POST /echo has no auth: Express route POST /echo declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/middleware/hono/test/hono.test.ts:99
· conf 0.80
[MINED113] Express POST /echo has no auth: Express route POST /echo declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/middleware/node/src/streamableHttp.examples.ts:52
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/middleware/node/src/streamableHttp.ts:62
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
scripts/cli.ts:84
· conf 0.80
[MINED113] Express POST /message has no auth: Express route POST /message declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated rout…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/conformance/src/authTestServer.ts:293
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/conformance/src/authTestServer.ts:389
· conf 0.80
[MINED113] Express DELETE /mcp has no auth: Express route DELETE /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/conformance/src/everythingServer.ts:893
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/conformance/src/everythingServer.ts:996
· conf 0.80
[MINED113] Express DELETE /mcp has no auth: Express route DELETE /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2209
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2221
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2240
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2252
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2264
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2277
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2289
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2301
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2328
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
test/integration/test/server.test.ts:2348
· conf 0.80
[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:36
· conf 0.90
[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/conformance.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/conformance.yml:26
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/conformance.yml:39
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/conformance.yml:44
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy-docs.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy-docs.yml:34
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy-docs.yml:44
· conf 0.90
[MINED115] Action `actions/configure-pages` pinned to mutable ref `@v6`: `uses: actions/configure-pages@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy-docs.yml:47
· conf 0.90
[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-pages-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy-docs.yml:53
· conf 0.90
[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v5`: `uses: actions/deploy-pages@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:24
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:42
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:49
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:70
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/main.yml:75
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:19
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:27
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:28
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:53
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:61
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-spec-types.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-spec-types.yml:27
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC020
Secret Printed to Logs
examples/client/src/ssePollingClient.ts:85
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
examples/shared/src/auth.ts:158
· conf 0.92
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
examples/client/src/multipleClientsParallel.ts:32
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
examples/client/src/parallelToolCallsClient.ts:36
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
examples/client/src/simpleClientCredentials.ts:64
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/client/src/client/middleware.ts:170
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/codemod/scripts/generateSpecSchemaMap.ts:24
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/codemod/scripts/generateVersions.ts:24
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
packages/core/src/shared/uriTemplate.ts:274
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
examples/server/src/honoWebStandardStreamableHttp.ts:47
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/core/src/experimental/tasks/stores/inMemory.ts:68
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
examples/server/src/jsonResponseStreamableHttp.ts:85
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
examples/server/src/simpleStatelessStreamableHttp.ts:99
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
examples/server/src/standaloneSseWithGetStreamableHttp.ts:50
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AGT012
Agent control bridge may listen on a network interface without visible auth
examples/server/src/serverGuide.examples.ts:13
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/middleware/express/src/express.examples.ts:2
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/middleware/express/src/express.ts:1
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/middleware/fastify/src/fastify.examples.ts:2
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/middleware/fastify/src/fastify.ts:1
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/middleware/hono/src/hono.ts:19
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
packages/middleware/express/src/auth/metadataRouter.ts:56
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
packages/middleware/node/src/streamableHttp.ts:62
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…JRN003
Frontend API reference is not matched by discovered backend routes
packages/core/src/shared/authUtils.ts:49
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
packages/core/src/shared/authUtils.ts:50
· conf 0.74
Frontend API reference is not matched by discovered backend routesSEC045
eval()/exec() on stored or user-supplied data
examples/shared/src/auth.ts:42
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
packages/client/src/client/streamableHttp.ts:117
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/middleware/fastify/tsdown.config.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/middleware/hono/tsdown.config.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/middleware/node/tsdown.config.ts:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/server/src/experimental/tasks/server.ts:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/server/src/server/server.ts:166
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/server/src/server/server.ts:356
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/server/src/server/stdio.ts:38
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/server/tsdown.config.ts:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
test/conformance/src/everythingServer.ts:781
· conf 0.86
Duplicated implementation block across source filesWEB005
robots.txt does not advertise a sitemap
pnpm-lock.yaml
· conf 0.74
robots.txt does not advertise a sitemapMINED043
Http Not Https
CWE-319
packages/server/src/server/middleware/hostHeaderValidation.ts:25
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 35 more): Same pattern found in 35 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
examples/client-quickstart/src/index.ts:50
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
examples/client/src/customMethodExample.ts:17
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
examples/client/src/dualModeAuth.ts:74
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
examples/server/src/honoWebStandardStreamableHttp.ts:33
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
examples/server/src/standaloneSseWithGetStreamableHttp.ts:159
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/codemod/scripts/generateSpecSchemaMap.ts:14
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED049
Print Pii
CWE-532
examples/client-quickstart/src/index.ts:170
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
examples/client/src/simpleClientCredentials.ts:52
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
examples/client/src/ssePollingClient.ts:85
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED054
Ts As Any
CWE-704
examples/shared/src/auth.ts:218
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
scripts/generate-multidoc.sh:44
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED074
Ai Tell Fake Citation
packages/client/src/client/middleware.examples.ts:27
· conf 1.00
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC020
Secret Printed to Logs
examples/client/src/dualModeAuth.ts:96
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/core/src/experimental/tasks/stores/inMemory.ts:31
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/server/src/server/streamableHttp.examples.ts:21
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC135
Auth/permission check missing on AI-generated endpoint
[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/941e20b9-d91f-4609-a0f4-1b7fa3f6e58f/.