# Security Audit Report - Framework detected: react-spa - Total findings: 70 - Critical: 0, High: 68, Medium: 2, Low: 0 ## Executive summary This report is evidence-oriented. Findings marked probable or manual-review should be validated in source context before remediation planning is finalized. ## Critical _No findings._ ## High #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/App.tsx (Line: 413) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/AdminUsers.tsx (Line: 28) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/AdminUsers.tsx (Line: 40) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/AdminUsers.tsx (Line: 58) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/AdminUsers.tsx (Line: 91) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/AdminUsers.tsx (Line: 103) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Claims.tsx (Line: 127) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Claims.tsx (Line: 139) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Claims.tsx (Line: 183) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Login.tsx (Line: 19) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Orders.tsx (Line: 36) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Orders.tsx (Line: 52) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Orders.tsx (Line: 68) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Plugins.tsx (Line: 30) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Plugins.tsx (Line: 42) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Plugins.tsx (Line: 49) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Plugins.tsx (Line: 124) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Promotions.tsx (Line: 24) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Promotions.tsx (Line: 32) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Promotions.tsx (Line: 69) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Promotions.tsx (Line: 82) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Promotions.tsx (Line: 97) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Raffles.tsx (Line: 26) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Raffles.tsx (Line: 34) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Raffles.tsx (Line: 84) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Raffles.tsx (Line: 102) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Raffles.tsx (Line: 112) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/pages/Settings.tsx (Line: 56) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Users.tsx (Line: 22) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Users.tsx (Line: 30) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Users.tsx (Line: 85) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/Users.tsx (Line: 95) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppInbox.tsx (Line: 665) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppInbox.tsx (Line: 675) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppInbox.tsx (Line: 934) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 56) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/pages/WhatsAppLogs.tsx (Line: 58) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 62) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 143) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/pages/WhatsAppLogs.tsx (Line: 146) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 151) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 161) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 193) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/pages/WhatsAppLogs.tsx (Line: 196) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 203) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/pages/WhatsAppLogs.tsx (Line: 242) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/pages/WhatsAppWebhooks.tsx (Line: 135) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/services/api.ts (Line: 3) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 19) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 23) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 32) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 39) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 45) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 54) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 59) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 68) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 73) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 79) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 81) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 86) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 90) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 100) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 107) - Recommended fix: Validate request data at the server boundary with a schema. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/services/api.ts (Line: 115) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: src/services/api.ts (Line: 126) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 140) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 143) - Recommended fix: Validate request data at the server boundary with a schema. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: src/services/api.ts (Line: 153) - Recommended fix: Validate request data at the server boundary with a schema. ## Medium #### Vulnerable dependency: esbuild - Severity: medium - Confidence: high - Status: confirmed - Evidence: npm audit reported moderate vulnerability in esbuild - Impact: May expose application to known CVE exploits - Files: package.json (Line: 1) - Recommended fix: Run npm audit fix or manually update esbuild. #### Vulnerable dependency: vite - Severity: medium - Confidence: high - Status: confirmed - Evidence: npm audit reported moderate vulnerability in vite - Impact: May expose application to known CVE exploits - Files: package.json (Line: 1) - Recommended fix: Run npm audit fix or manually update vite. ## Low _No findings._ ## Manual review checklist - Verify authz on admin and privileged routes. - Verify whether raw queries are parameterized upstream. - Verify whether shared sanitization utilities are applied before dangerous HTML or LLM calls. - Verify token handling and public env variables in client bundles.