Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/piolium/attack-surface/advisory-summary.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

20 KiB
Raw Permalink Blame History

Advisory Intelligence — Kordant

Generated: 2026-05-28
Phase: L1 (Intel) — Advisory collection & dependency intelligence
Target: Kordant monorepo — SolidStart + tRPC + Drizzle ORM + native mobile apps

Repository Identity

Field Value
Project Kordant
Type Full-stack monorepo (SolidStart web, iOS, Android, browser extension)
Git remote git@git.freno.me:Mike/Kordant.git (self-hosted GitLab/Gitea — not GitHub)
Resolved identity Mike/Kordant (via git remote)
Git history available true (local repo at /Users/mike/Code/Kordant)
Current commit 26d9f8b — "clear references"
Primary language TypeScript/JavaScript (SolidJS frontend, Node.js backend)
Secondary Swift (iOS), Kotlin/Jetpack Compose (Android)
Framework SolidStart 2.0.0-alpha.2, tRPC 10.45.4, Drizzle ORM 0.45.2
Database Turso/libSQL (SQLite)
Queue BullMQ + ioredis (Redis 7)

Recent Advisories (last 24 months)

Advisory Inventory (filtered to ≥12 months old, within last 24 months)

Only advisories published between May 2024 and May 2026 are listed below. Older advisories are noted separately.

# ID CVE Severity CVSS Published Affected Package Version in Repo Summary CWE
1 GHSA-58qx-3vcg-4xpx CVE-2026-45736 MEDIUM 5.3 2026-05-18 ws 8.21.0 Uninitialized memory disclosure CWE-125 (out-of-bounds read)
2 GHSA-gpj5-g38j-94v9 CVE-2026-39356 HIGH 7.5 2026-04-08 drizzle-orm 0.45.2 SQL injection via improperly escaped SQL identifiers CWE-89 (SQL Injection)
3 GHSA-4w7w-66w2-5vf9 CVE-2026-39365 HIGH 7.1 2026-04-06 vite 6.4.2 / 7.3.3 Path traversal in optimized deps .map handling CWE-22 (Path Traversal)
4 GHSA-v2wj-q39q-566r CVE-2026-39364 HIGH 2026-04-06 vite 6.4.2 / 7.3.3 server.fs.deny bypassed with queries CWE-22 (Path Traversal)
5 GHSA-p9ff-h696-f583 CVE-2026-39363 HIGH 2026-04-06 vite 6.4.2 / 7.3.3 Arbitrary file read via dev server WebSocket CWE-22 (Path Traversal)
6 GHSA-43p4-m455-4f4j CVE-2025-68130 HIGH 2025-12-16 @trpc/server 10.45.4 Prototype pollution in experimental_nextAppDirCaller CWE-1321 (Prototype Pollution)
7 GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH 2025-11-26 valibot 0.29.0 ReDoS in EMOJI_REGEX CWE-1333 (ReDoS)
8 GHSA-93m4-6634-74q7 CVE-2025-62522 MEDIUM 2025-10-20 vite 6.4.2 / 7.3.3 server.fs.deny bypass via backslash on Windows CWE-22 (Path Traversal)
9 GHSA-g4jq-h2w9-997c CVE-2025-58751 MEDIUM 5.3 2025-09-09 vite 6.4.2 / 7.3.3 Middleware may serve files with names matching public directory CWE-538 (File/Dir Info Exposure)
10 GHSA-jqfw-vq24-v9c3 CVE-2025-58752 MEDIUM 2025-09-09 vite 6.4.2 / 7.3.3 server.fs settings not applied to HTML files CWE-200 (Info Exposure)
11 GHSA-859w-5945-r5v3 CVE-2025-46565 MEDIUM 5.3 2025-04-30 vite 6.4.2 / 7.3.3 server.fs.deny bypassed with /. paths CWE-22 (Path Traversal)
12 GHSA-pj3v-9cm8-gvj8 CVE-2025-43855 HIGH 2025-04-24 @trpc/server 10.45.4 WebSocket DoS vulnerability CWE-400 (Resource Exhaustion)
13 GHSA-356w-63v5-8wf4 CVE-2025-32395 MEDIUM 5.3 2025-04-11 vite 6.4.2 / 7.3.3 server.fs.deny bypass with invalid request-target CWE-22 (Path Traversal)
14 GHSA-xcj6-pq6g-qj4x CVE-2025-31486 MEDIUM 5.3 2025-04-04 vite 6.4.2 / 7.3.3 server.fs.deny bypass with .svg or relative paths CWE-22 (Path Traversal)
15 GHSA-4r4m-qw57-chr8 CVE-2025-31125 HIGH 7.5 2025-03-31 vite 6.4.2 / 7.3.3 server.fs.deny bypass for inline/raw with ?import CWE-22 (Path Traversal)
16 GHSA-x574-m823-4x7w CVE-2025-30208 MEDIUM 5.3 2025-03-25 vite 6.4.2 / 7.3.3 server.fs.deny bypass using ?raw?? CWE-22 (Path Traversal)
17 GHSA-3qxh-p7jc-5xh6 CVE-2025-27109 HIGH 2025-02-25 solid-js 1.9.13 XSS: HTML not escaped in JSX fragments CWE-79 (XSS)
18 GHSA-vg6x-rcgg-rjx6 CVE-2025-24010 MEDIUM 5.3 2025-01-21 vite 6.4.2 / 7.3.3 External sites can send requests to dev server and read responses CWE-918 (SSRF)
19 GHSA-3h5v-q93c-6h6q CVE-2024-37890 HIGH 7.5 2024-06-17 ws 8.21.0 DoS when handling requests with many HTTP headers CWE-770 (Resource Exhaustion)
20 GHSA-8jhw-289h-jh2g CVE-2024-31207 MEDIUM 2024-04-03 vite 6.4.2 / 7.3.3 server.fs.deny did not deny directory-pattern requests CWE-22 (Path Traversal)
21 GHSA-64vr-g452-qvp3 CVE-2024-45812 MEDIUM 5.3 2024-09-17 vite 6.4.2 / 7.3.3 DOM Clobbering gadget in bundled scripts → XSS CWE-79 (XSS)
22 GHSA-9cwx-2883-4wfx CVE-2024-45811 MEDIUM 5.3 2024-09-17 vite 6.4.2 / 7.3.3 server.fs.deny bypass with ?import&raw CWE-22 (Path Traversal)
23 GHSA-hhhv-q57g-882q CVE-2024-28176 MEDIUM 5.3 2024-03-07 jose 5.10.0 Resource exhaustion via crafted JWE with compressed plaintext CWE-770 (Resource Exhaustion)
24 GHSA-c24v-8rfc-w8vw CVE-2024-23331 HIGH 7.5 2024-01-19 vite 6.4.2 / 7.3.3 server.fs.deny bypass on case-insensitive filesystems CWE-22 (Path Traversal)

Older advisories (≥24 months, retained for pattern analysis)

# ID CVE Severity Published Package Summary
A GHSA-5888-ffcr-r425 CVE-2022-23631 CRITICAL 2022-02-09 superjson Prototype pollution → RCE (v2.x affected; repo uses 2.2.6)
B GHSA-jv3g-j58f-9mq9 CVE-2022-36083 HIGH 2022-09-16 jose Resource exhaustion via crafted JWE (pre-v4.9.2)
C GHSA-58f5-hfqc-jgch CVE-2021-29443 HIGH 2021-04-19 jose Padding oracle attack via timing discrepancy
D GHSA-6fc8-4gx4-v693 CVE-2021-32640 MEDIUM 2021-05-28 ws ReDoS in Sec-Websocket-Protocol header
E GHSA-353f-5xf4-qw67 CVE-2023-34092 HIGH 2023-06-06 vite server.fs.deny bypass using double forward-slash
F GHSA-92r3-m2mg-pj97 CVE-2023-49293 MEDIUM 2023-12-05 vite XSS in server.transformIndexHtml via URL payload
G GHSA-mv48-hcvh-8jj8 CVE-2022-35204 MEDIUM 2022-08-19 vite Directory traversal via crafted URL

Severity Distribution

Severity Count (last 24mo) Count (all-time)
CRITICAL 0 1 (superjson CVE-2022-23631)
HIGH 12 15
MEDIUM 11 13
LOW 0 0
Total 23 29

Historical Coverage Metadata

  • Tier reached: Tier 1 (24 months) + Tier 2 expansion (all-time for pattern coverage)
  • Total advisories collected: 29 (23 within 24 months, 6 older)
  • Severity distribution: CRITICAL: 1, HIGH: 15, MEDIUM: 13, LOW: 0
  • Repository identity: Mike/Kordant (resolved via git remotegit.freno.me:Mike/Kordant.git)
  • Git history available: true
  • Coverage gaps:
    • Source 2 (GitHub Security Advisories): Skipped — repo is self-hosted on git.freno.me, not on GitHub. No gh api queries possible.
    • Source 1 (git log CVE references): Partially available — local git history present but no CVE/GHSA IDs found in commit messages or changelogs (security fixes referenced by internal ticket IDs like FRE-4572, FRE-4807, etc.)
    • Source 5 (web search): Not executed — OSV + NVD provided sufficient coverage

Dependency Intelligence

Key Dependencies & Risk Assessment

Package Version Ecosystem Risk Level Reason
vite 6.4.2 / 7.3.3 npm 🔴 CRITICAL 14+ vulnerabilities in 24 months; persistent server.fs.deny bypass lineage. Dev server is exposed (port 3000).
@trpc/server 10.45.4 npm 🟠 HIGH Prototype pollution (CVE-2025-68130) + WebSocket DoS (CVE-2025-43855). Both CVSSv4 HIGH.
drizzle-orm 0.45.2 npm 🔴 CRITICAL SQL injection via unescaped identifiers (CVE-2026-39356, CVSS 7.5). Direct DB access layer.
solid-js 1.9.13 npm 🟠 HIGH XSS in JSX fragments (CVE-2025-27109, CVSS HIGH). Core rendering framework.
valibot 0.29.0 npm 🟠 HIGH ReDoS in EMOJI_REGEX (CVE-2025-66020, CVSS HIGH). Used for input validation.
ws 8.21.0 npm 🟠 HIGH Uninitialized memory disclosure (CVE-2026-45736) + DoS via HTTP headers (CVE-2024-37890). WebSocket transport.
jose 5.10.0 npm 🟡 MEDIUM Resource exhaustion via JWE (CVE-2024-28176, CVSS 5.3). JWT/crypto library.
superjson 2.2.6 npm 🟠 HIGH Prototype pollution → RCE (CVE-2022-23631, CVSS 10.0). Used in browser extension for tRPC serialization.
puppeteer 25.0.4 npm 🟢 LOW Old UAF (CVE-2019-5786) — patched in modern versions. Used for report generation.

High-Risk Patterns

  1. Vite server.fs.deny — The Recurring Bypass

    • 8+ distinct CVEs (CVE-2023-34092, CVE-2024-23331, CVE-2024-31207, CVE-2024-45811/45812, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751/58752, CVE-2025-62522, CVE-2026-39363/39364/39365)
    • All relate to server.fs.deny being bypassed via different techniques: queries, backslashes, .svg, .map, /., ?import, ?raw??, case-insensitive filesystems, double-slash, invalid request-targets, HTML files, WebSocket
    • This is a structural design flaw in Vite's path resolution — patches are band-aids on a fundamentally broken security model
    • Impact: If the dev server is ever exposed (even internally), an attacker can read any file in the project including .env, docker-compose.yml, source code, database credentials

  2. tRPC + superjson — Prototype Pollution Chain

    • superjson CVE-2022-23631 (CRITICAL) allows prototype pollution → RCE
    • @trpc/server CVE-2025-68130 (HIGH) allows prototype pollution via experimental_nextAppDirCaller
    • The browser extension uses superjson for tRPC serialization — if an attacker can inject malicious serialized data into the tRPC pipeline, prototype pollution could lead to remote code execution
    • Impact: If the tRPC endpoints accept untrusted serialized data, this could be a critical attack path

  3. Drizzle ORM — SQL Injection

    • CVE-2026-39356 (CVSS 7.5) allows SQL injection via improperly escaped identifiers
    • Drizzle is the project's primary ORM — if any tRPC procedure passes user input into column/table names (not just values), injection is possible
    • Impact: Full database compromise — read, modify, or delete all user data

  4. SolidJS — XSS in JSX

    • CVE-2025-27109 (HIGH) — HTML not escaped in JSX fragments
    • As the core rendering framework, any user-controlled data rendered in JSX fragments could be XSS vector
    • Impact: Cross-site scripting in the web application

Security-Related Configuration

From .env.example and docker-compose.prod.yml:

Secret/Config Risk
JWT_SECRET Critical — if leaked, all auth tokens can be forged
CLERK_SECRET_KEY High — Clerk admin key exposure
STRIPE_SECRET_KEY High — payment API access
STRIPE_WEBHOOK_SECRET High — webhook signature verification bypass
DATABASE_AUTH_TOKEN High — Turso database access
RESEND_API_KEY Medium — email sending abuse
FCM_PRIVATE_KEY Medium — push notification abuse
TWILIO_AUTH_TOKEN Medium — SMS API abuse
HIBP_API_KEY / SECURITYTRAILS / CENSYS / SHODAN Medium — OSINT API abuse

Architecture Hints

System Architecture (from README + codebase)

┌──────────────────────────────────────────────────────────────┐
│                        Clients                               │
│  Web (SolidStart) │ iOS (SwiftUI) │ Android (Compose) │ Ext  │
└────────────────────┬─────────────────────────────────────────┘
                     │  tRPC (HTTP/WS)
                     ▼
┌──────────────────────────────────────────────────────────────┐
│                   web/ (SolidStart)                          │
│                                                              │
│  Frontend: SolidStart + Tailwind v4                          │
│  Backend:  tRPC routers (auth, user, billing, darkwatch,     │
│            voiceprint, spamshield, hometitle, removebrokers, │
│            alerts, reports, notifications, correlation)      │
│  Background: BullMQ + Redis (ioredis) for job queues         │
│  WebSocket: ws@8.21.0 on port 3001                           │
│  Report generation: Puppeteer (headless browser)             │
│  Monitoring: Sentry (@sentry/solidstart)                     │
└────────────────────────┬──────────────────────────────────────┘
                         │
                ┌────────▼────────┐
                │   Turso (SQLite)│
                │   + Redis 7     │
                └─────────────────┘

Service Domains (5 core services)

Domain tRPC Router Key Dependencies Trust Boundary
VoicePrint voiceprint WebRTC, audio upload, ML inference Internal — requires auth
DarkWatch darkwatch SecurityTrails, HIBP, Censys, Shodan External API integrations
SpamShield spamshield Twilio, phone number analysis External — SMS/call API
HomeTitle hometitle County deed record APIs External — public data
RemoveBrokers removebrokers Data broker opt-out automation External — broker APIs

Trust Boundaries

Boundary Description Risk
Internet → Web tRPC endpoints over HTTP tRPC auth middleware protects most procedures
Web → Redis BullMQ job queue Internal, but BullMQ has its own attack surface
Web → Turso Database via Drizzle ORM SQL injection risk (CVE-2026-39356)
Web → External APIs SecurityTrails, HIBP, Twilio, Stripe API key exposure, webhook spoofing
Web → WebSocket Real-time alerts on port 3001 DoS (ws CVE-2024-37890), memory disclosure (ws CVE-2026-45736)
Web → Puppeteer Report generation SSRF, path traversal via file input
Browser Extension → tRPC tRPC + superjson serialization Prototype pollution chain (superjson + tRPC)

Highest-Risk Flows (for Phase 3 DFD prioritization)

  1. tRPC → Drizzle ORM: User input flows through tRPC procedures into SQL queries. If identifiers are interpolated from user input, SQL injection is possible (CVE-2026-39356).

  2. tRPC → superjson → browser extension: Serialized data from tRPC responses flows through superjson deserialization. Prototype pollution (CVE-2022-23631) could affect the extension.

  3. WebSocket → ws: Real-time alerts use the ws library. Memory disclosure (CVE-2026-45736) and DoS (CVE-2024-37890) affect this transport.

  4. Puppeteer → file system: Report generation via Puppeteer could be exploited for path traversal if file paths are user-controlled.

  5. Vite dev server → file system: If exposed (even on localhost), the dev server's server.fs.deny has been bypassed 14+ times. Any file in the project tree is readable.

Coverage Gaps

Sources Skipped

Source Status Reason
Source 1: Project-hosted (git log CVE grep) Partial Local git available. No CVE/GHSA IDs in commit messages or project files. Security fixes referenced by internal ticket IDs (FRE-XXXX) only.
Source 2: GitHub Security Advisories (gh api) Skipped Repository is self-hosted on git.freno.me, not on GitHub. No GitHub API access.
Source 3: OSV API Complete Queried all 26 primary npm packages. 10 packages with advisories found.
Source 4: NVD REST API Partial CVSS scores obtained for most advisories. Recent 2025-2026 CVEs have NVD scores assigned.
Source 5: WebSearch Skipped OSV + NVD provided full coverage. No additional advisories expected.

Notable Gaps

  1. No GitHub GHSA coverage: Since the repo is not on GitHub, GitHub Security Advisories are not searchable. Any advisories published directly through GitHub's security advisory database (not via OSV) would be missed.

  2. Internal security remediation tracking: Git log shows 8+ commits referencing internal security reviews (FRE-4572, FRE-4807, FRE-5003, FRE-4498, FRE-4500, etc.) with fixes for "auth bypass", "P1 security findings", "JWT security issues", and "VoicePrint auth bypass". These represent real security vulnerabilities in the project's own codebase, but their details are not publicly documented in CVE/GHSA format.

  3. Android/iOS app vulnerabilities: Native mobile apps (iOS/SwiftUI, Android/Kotlin) are not covered by npm/OSV/NVD. Potential native-level vulnerabilities (certificate pinning, root detection, encrypted storage) are not assessed in this advisory pass.

  4. Infrastructure-as-code: Dockerfile and docker-compose.prod.yml are not analyzed for container security vulnerabilities (base image CVEs, non-root user verification, etc.).

  5. Stripe integration: No Stripe-specific CVEs found, but the integration uses stripe-js v9.6.0 and stripe v22.1.1. Stripe library security should be cross-referenced with Stripe's own advisory process.

Audit Targeting Recommendations

Based on the advisory pattern analysis:

Phase 3 DFD Prioritization

  • Drizzle ORM + tRPC procedures — SQL injection vector (CVE-2026-39356). Map all 12+ tRPC routers for identifier injection.
  • WebSocket transport (ws) — Memory disclosure + DoS (CVE-2026-45736, CVE-2024-37890). Map the real-time alert flow.
  • Vite dev server — Path traversal lineage. Assess if dev server is exposed in any deployment.

Phase 5 Deep Probe Entry Points

  • tRPC input validation — User data flows through valibot (ReDoS risk) into tRPC into Drizzle (SQLi risk).
  • superjson deserialization — Prototype pollution chain in browser extension.
  • Puppeteer report generation — File path handling, SSRF potential.
  • WebSocket message handling — Message size limits, frame parsing.

Phase 10 Attack Mode Chambers

  • SQL Injection (CWE-89) — Mandatory for all tRPC procedures touching Drizzle
  • Path Traversal (CWE-22) — Mandatory for any file-path handling (Vite, Puppeteer)
  • Prototype Pollution (CWE-1321) — Mandatory for superjson/tRPC serialization
  • ReDoS (CWE-1333) — Mandatory for valibot input validation
  • XSS (CWE-79) — Mandatory for SolidJS JSX rendering of user data
  • Resource Exhaustion (CWE-770) — Mandatory for jose (JWE) and ws (HTTP headers)

Patch-Bypass-Checker Structural Recurrence

  • Vite server.fs.deny — 14+ distinct bypass techniques across versions. This is a structural-recurrence component. The entire path resolution model should be re-evaluated rather than applying piecemeal patches.
Reference in New Issue View Git Blame Copy Permalink