Files

23 KiB

Security Audit Report

  • Framework detected: react-spa
  • Total findings: 70
  • Critical: 0, High: 68, Medium: 2, Low: 0

Executive summary

This report is evidence-oriented. Findings marked probable or manual-review should be validated in source context before remediation planning is finalized.

Critical

No findings.

High

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/App.tsx (Line: 413)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/AdminUsers.tsx (Line: 28)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/AdminUsers.tsx (Line: 40)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/AdminUsers.tsx (Line: 58)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/AdminUsers.tsx (Line: 91)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/AdminUsers.tsx (Line: 103)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Claims.tsx (Line: 127)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Claims.tsx (Line: 139)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Claims.tsx (Line: 183)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Login.tsx (Line: 19)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Orders.tsx (Line: 36)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Orders.tsx (Line: 52)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Orders.tsx (Line: 68)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Plugins.tsx (Line: 30)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Plugins.tsx (Line: 42)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Plugins.tsx (Line: 49)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Plugins.tsx (Line: 124)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Promotions.tsx (Line: 24)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Promotions.tsx (Line: 32)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Promotions.tsx (Line: 69)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Promotions.tsx (Line: 82)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Promotions.tsx (Line: 97)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Raffles.tsx (Line: 26)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Raffles.tsx (Line: 34)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Raffles.tsx (Line: 84)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Raffles.tsx (Line: 102)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Raffles.tsx (Line: 112)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/pages/Settings.tsx (Line: 56)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Users.tsx (Line: 22)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Users.tsx (Line: 30)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Users.tsx (Line: 85)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/Users.tsx (Line: 95)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppInbox.tsx (Line: 665)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppInbox.tsx (Line: 675)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppInbox.tsx (Line: 934)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 56)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/pages/WhatsAppLogs.tsx (Line: 58)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 62)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 143)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/pages/WhatsAppLogs.tsx (Line: 146)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 151)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 161)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 193)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/pages/WhatsAppLogs.tsx (Line: 196)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 203)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/pages/WhatsAppLogs.tsx (Line: 242)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/pages/WhatsAppWebhooks.tsx (Line: 135)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/services/api.ts (Line: 3)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 19)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 23)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 32)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 39)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 45)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 54)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 59)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 68)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 73)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 79)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 81)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 86)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 90)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 100)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 107)
  • Recommended fix: Validate request data at the server boundary with a schema.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/services/api.ts (Line: 115)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Potential SSRF pattern

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Server-side outbound request
  • Impact: Attacker may force calls to internal or unintended hosts
  • Files: src/services/api.ts (Line: 126)
  • Recommended fix: Enforce host allowlists and validate URLs before outbound requests.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 140)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 143)
  • Recommended fix: Validate request data at the server boundary with a schema.

Server boundary without obvious input validation

  • Severity: high
  • Confidence: low
  • Status: manual-review
  • Evidence: Request input usage
  • Impact: Malformed or hostile input may reach sensitive logic
  • Files: src/services/api.ts (Line: 153)
  • Recommended fix: Validate request data at the server boundary with a schema.

Medium

Vulnerable dependency: esbuild

  • Severity: medium
  • Confidence: high
  • Status: confirmed
  • Evidence: npm audit reported moderate vulnerability in esbuild
  • Impact: May expose application to known CVE exploits
  • Files: package.json (Line: 1)
  • Recommended fix: Run npm audit fix or manually update esbuild.

Vulnerable dependency: vite

  • Severity: medium
  • Confidence: high
  • Status: confirmed
  • Evidence: npm audit reported moderate vulnerability in vite
  • Impact: May expose application to known CVE exploits
  • Files: package.json (Line: 1)
  • Recommended fix: Run npm audit fix or manually update vite.

Low

No findings.

Manual review checklist

  • Verify authz on admin and privileged routes.
  • Verify whether raw queries are parameterized upstream.
  • Verify whether shared sanitization utilities are applied before dangerous HTML or LLM calls.
  • Verify token handling and public env variables in client bundles.