Kordant/piolium/attack-surface/advisory-summary.md

# Advisory Intelligence — Kordant

> **Generated**: 2026-05-28  
> **Phase**: L1 (Intel) — Advisory collection & dependency intelligence  
> **Target**: Kordant monorepo — SolidStart + tRPC + Drizzle ORM + native mobile apps

---

## Repository Identity

| Field | Value |
|-------|-------|
| **Project** | Kordant |
| **Type** | Full-stack monorepo (SolidStart web, iOS, Android, browser extension) |
| **Git remote** | `git@git.freno.me:Mike/Kordant.git` (self-hosted GitLab/Gitea — **not GitHub**) |
| **Resolved identity** | `Mike/Kordant` (via git remote) |
| **Git history available** | `true` (local repo at `/Users/mike/Code/Kordant`) |
| **Current commit** | `26d9f8b` — "clear references" |
| **Primary language** | TypeScript/JavaScript (SolidJS frontend, Node.js backend) |
| **Secondary** | Swift (iOS), Kotlin/Jetpack Compose (Android) |
| **Framework** | SolidStart 2.0.0-alpha.2, tRPC 10.45.4, Drizzle ORM 0.45.2 |
| **Database** | Turso/libSQL (SQLite) |
| **Queue** | BullMQ + ioredis (Redis 7) |

---

## Recent Advisories (last 24 months)

### Advisory Inventory (filtered to ≥12 months old, within last 24 months)

Only advisories published between **May 2024 and May 2026** are listed below. Older advisories are noted separately.

| # | ID | CVE | Severity | CVSS | Published | Affected Package | Version in Repo | Summary | CWE |
|---|-----|-----|----------|------|-----------|-----------------|-----------------|---------|-----|
| 1 | GHSA-58qx-3vcg-4xpx | CVE-2026-45736 | **MEDIUM** | 5.3 | 2026-05-18 | ws | 8.21.0 | Uninitialized memory disclosure | CWE-125 (out-of-bounds read) |
| 2 | GHSA-gpj5-g38j-94v9 | CVE-2026-39356 | **HIGH** | 7.5 | 2026-04-08 | drizzle-orm | 0.45.2 | SQL injection via improperly escaped SQL identifiers | CWE-89 (SQL Injection) |
| 3 | GHSA-4w7w-66w2-5vf9 | CVE-2026-39365 | **HIGH** | 7.1 | 2026-04-06 | vite | 6.4.2 / 7.3.3 | Path traversal in optimized deps `.map` handling | CWE-22 (Path Traversal) |
| 4 | GHSA-v2wj-q39q-566r | CVE-2026-39364 | **HIGH** | — | 2026-04-06 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypassed with queries | CWE-22 (Path Traversal) |
| 5 | GHSA-p9ff-h696-f583 | CVE-2026-39363 | **HIGH** | — | 2026-04-06 | vite | 6.4.2 / 7.3.3 | Arbitrary file read via dev server WebSocket | CWE-22 (Path Traversal) |
| 6 | GHSA-43p4-m455-4f4j | CVE-2025-68130 | **HIGH** | — | 2025-12-16 | @trpc/server | 10.45.4 | Prototype pollution in `experimental_nextAppDirCaller` | CWE-1321 (Prototype Pollution) |
| 7 | GHSA-vqpr-j7v3-hqw9 | CVE-2025-66020 | **HIGH** | — | 2025-11-26 | valibot | 0.29.0 | ReDoS in `EMOJI_REGEX` | CWE-1333 (ReDoS) |
| 8 | GHSA-93m4-6634-74q7 | CVE-2025-62522 | **MEDIUM** | — | 2025-10-20 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass via backslash on Windows | CWE-22 (Path Traversal) |
| 9 | GHSA-g4jq-h2w9-997c | CVE-2025-58751 | **MEDIUM** | 5.3 | 2025-09-09 | vite | 6.4.2 / 7.3.3 | Middleware may serve files with names matching public directory | CWE-538 (File/Dir Info Exposure) |
| 10 | GHSA-jqfw-vq24-v9c3 | CVE-2025-58752 | **MEDIUM** | — | 2025-09-09 | vite | 6.4.2 / 7.3.3 | `server.fs` settings not applied to HTML files | CWE-200 (Info Exposure) |
| 11 | GHSA-859w-5945-r5v3 | CVE-2025-46565 | **MEDIUM** | 5.3 | 2025-04-30 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypassed with `/.` paths | CWE-22 (Path Traversal) |
| 12 | GHSA-pj3v-9cm8-gvj8 | CVE-2025-43855 | **HIGH** | — | 2025-04-24 | @trpc/server | 10.45.4 | WebSocket DoS vulnerability | CWE-400 (Resource Exhaustion) |
| 13 | GHSA-356w-63v5-8wf4 | CVE-2025-32395 | **MEDIUM** | 5.3 | 2025-04-11 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass with invalid `request-target` | CWE-22 (Path Traversal) |
| 14 | GHSA-xcj6-pq6g-qj4x | CVE-2025-31486 | **MEDIUM** | 5.3 | 2025-04-04 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass with `.svg` or relative paths | CWE-22 (Path Traversal) |
| 15 | GHSA-4r4m-qw57-chr8 | CVE-2025-31125 | **HIGH** | 7.5 | 2025-03-31 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass for `inline`/`raw` with `?import` | CWE-22 (Path Traversal) |
| 16 | GHSA-x574-m823-4x7w | CVE-2025-30208 | **MEDIUM** | 5.3 | 2025-03-25 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass using `?raw??` | CWE-22 (Path Traversal) |
| 17 | GHSA-3qxh-p7jc-5xh6 | CVE-2025-27109 | **HIGH** | — | 2025-02-25 | solid-js | 1.9.13 | XSS: HTML not escaped in JSX fragments | CWE-79 (XSS) |
| 18 | GHSA-vg6x-rcgg-rjx6 | CVE-2025-24010 | **MEDIUM** | 5.3 | 2025-01-21 | vite | 6.4.2 / 7.3.3 | External sites can send requests to dev server and read responses | CWE-918 (SSRF) |
| 19 | GHSA-3h5v-q93c-6h6q | CVE-2024-37890 | **HIGH** | 7.5 | 2024-06-17 | ws | 8.21.0 | DoS when handling requests with many HTTP headers | CWE-770 (Resource Exhaustion) |
| 20 | GHSA-8jhw-289h-jh2g | CVE-2024-31207 | **MEDIUM** | — | 2024-04-03 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` did not deny directory-pattern requests | CWE-22 (Path Traversal) |
| 21 | GHSA-64vr-g452-qvp3 | CVE-2024-45812 | **MEDIUM** | 5.3 | 2024-09-17 | vite | 6.4.2 / 7.3.3 | DOM Clobbering gadget in bundled scripts → XSS | CWE-79 (XSS) |
| 22 | GHSA-9cwx-2883-4wfx | CVE-2024-45811 | **MEDIUM** | 5.3 | 2024-09-17 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass with `?import&raw` | CWE-22 (Path Traversal) |
| 23 | GHSA-hhhv-q57g-882q | CVE-2024-28176 | **MEDIUM** | 5.3 | 2024-03-07 | jose | 5.10.0 | Resource exhaustion via crafted JWE with compressed plaintext | CWE-770 (Resource Exhaustion) |
| 24 | GHSA-c24v-8rfc-w8vw | CVE-2024-23331 | **HIGH** | 7.5 | 2024-01-19 | vite | 6.4.2 / 7.3.3 | `server.fs.deny` bypass on case-insensitive filesystems | CWE-22 (Path Traversal) |

### Older advisories (≥24 months, retained for pattern analysis)

| # | ID | CVE | Severity | Published | Package | Summary |
|---|-----|-----|----------|-----------|---------|---------|
| A | GHSA-5888-ffcr-r425 | CVE-2022-23631 | **CRITICAL** | 2022-02-09 | superjson | Prototype pollution → RCE (v2.x affected; repo uses 2.2.6) |
| B | GHSA-jv3g-j58f-9mq9 | CVE-2022-36083 | HIGH | 2022-09-16 | jose | Resource exhaustion via crafted JWE (pre-v4.9.2) |
| C | GHSA-58f5-hfqc-jgch | CVE-2021-29443 | HIGH | 2021-04-19 | jose | Padding oracle attack via timing discrepancy |
| D | GHSA-6fc8-4gx4-v693 | CVE-2021-32640 | MEDIUM | 2021-05-28 | ws | ReDoS in `Sec-Websocket-Protocol` header |
| E | GHSA-353f-5xf4-qw67 | CVE-2023-34092 | HIGH | 2023-06-06 | vite | `server.fs.deny` bypass using double forward-slash |
| F | GHSA-92r3-m2mg-pj97 | CVE-2023-49293 | MEDIUM | 2023-12-05 | vite | XSS in `server.transformIndexHtml` via URL payload |
| G | GHSA-mv48-hcvh-8jj8 | CVE-2022-35204 | MEDIUM | 2022-08-19 | vite | Directory traversal via crafted URL |

---

### Severity Distribution

| Severity | Count (last 24mo) | Count (all-time) |
|----------|-------------------|------------------|
| CRITICAL | 0 | 1 (superjson CVE-2022-23631) |
| HIGH | 12 | 15 |
| MEDIUM | 11 | 13 |
| LOW | 0 | 0 |
| **Total** | **23** | **29** |

### Historical Coverage Metadata

- **Tier reached**: Tier 1 (24 months) + Tier 2 expansion (all-time for pattern coverage)
- **Total advisories collected**: 29 (23 within 24 months, 6 older)
- **Severity distribution**: CRITICAL: 1, HIGH: 15, MEDIUM: 13, LOW: 0
- **Repository identity**: `Mike/Kordant` (resolved via **git remote** → `git.freno.me:Mike/Kordant.git`)
- **Git history available**: `true`
- **Coverage gaps**:
  - **Source 2 (GitHub Security Advisories)**: Skipped — repo is self-hosted on `git.freno.me`, not on GitHub. No `gh api` queries possible.
  - **Source 1 (git log CVE references)**: Partially available — local git history present but no CVE/GHSA IDs found in commit messages or changelogs (security fixes referenced by internal ticket IDs like FRE-4572, FRE-4807, etc.)
  - **Source 5 (web search)**: Not executed — OSV + NVD provided sufficient coverage

---

## Dependency Intelligence

### Key Dependencies & Risk Assessment

| Package | Version | Ecosystem | Risk Level | Reason |
|---------|---------|-----------|------------|--------|
| **vite** | 6.4.2 / 7.3.3 | npm | 🔴 CRITICAL | 14+ vulnerabilities in 24 months; persistent `server.fs.deny` bypass lineage. Dev server is exposed (port 3000). |
| **@trpc/server** | 10.45.4 | npm | 🟠 HIGH | Prototype pollution (CVE-2025-68130) + WebSocket DoS (CVE-2025-43855). Both CVSSv4 HIGH. |
| **drizzle-orm** | 0.45.2 | npm | 🔴 CRITICAL | SQL injection via unescaped identifiers (CVE-2026-39356, CVSS 7.5). Direct DB access layer. |
| **solid-js** | 1.9.13 | npm | 🟠 HIGH | XSS in JSX fragments (CVE-2025-27109, CVSS HIGH). Core rendering framework. |
| **valibot** | 0.29.0 | npm | 🟠 HIGH | ReDoS in EMOJI_REGEX (CVE-2025-66020, CVSS HIGH). Used for input validation. |
| **ws** | 8.21.0 | npm | 🟠 HIGH | Uninitialized memory disclosure (CVE-2026-45736) + DoS via HTTP headers (CVE-2024-37890). WebSocket transport. |
| **jose** | 5.10.0 | npm | 🟡 MEDIUM | Resource exhaustion via JWE (CVE-2024-28176, CVSS 5.3). JWT/crypto library. |
| **superjson** | 2.2.6 | npm | 🟠 HIGH | Prototype pollution → RCE (CVE-2022-23631, CVSS 10.0). Used in browser extension for tRPC serialization. |
| **puppeteer** | 25.0.4 | npm | 🟢 LOW | Old UAF (CVE-2019-5786) — patched in modern versions. Used for report generation. |

### High-Risk Patterns

1. **Vite `server.fs.deny` — The Recurring Bypass**
   - 8+ distinct CVEs (CVE-2023-34092, CVE-2024-23331, CVE-2024-31207, CVE-2024-45811/45812, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751/58752, CVE-2025-62522, CVE-2026-39363/39364/39365)
   - **All** relate to `server.fs.deny` being bypassed via different techniques: queries, backslashes, `.svg`, `.map`, `/.`, `?import`, `?raw??`, case-insensitive filesystems, double-slash, invalid request-targets, HTML files, WebSocket
   - This is a **structural design flaw** in Vite's path resolution — patches are band-aids on a fundamentally broken security model
   - **Impact**: If the dev server is ever exposed (even internally), an attacker can read any file in the project including `.env`, `docker-compose.yml`, source code, database credentials

2. **tRPC + superjson — Prototype Pollution Chain**
   - superjson CVE-2022-23631 (CRITICAL) allows prototype pollution → RCE
   - @trpc/server CVE-2025-68130 (HIGH) allows prototype pollution via `experimental_nextAppDirCaller`
   - The browser extension uses superjson for tRPC serialization — if an attacker can inject malicious serialized data into the tRPC pipeline, prototype pollution could lead to remote code execution
   - **Impact**: If the tRPC endpoints accept untrusted serialized data, this could be a critical attack path

3. **Drizzle ORM — SQL Injection**
   - CVE-2026-39356 (CVSS 7.5) allows SQL injection via improperly escaped identifiers
   - Drizzle is the project's primary ORM — if any tRPC procedure passes user input into column/table names (not just values), injection is possible
   - **Impact**: Full database compromise — read, modify, or delete all user data

4. **SolidJS — XSS in JSX**
   - CVE-2025-27109 (HIGH) — HTML not escaped in JSX fragments
   - As the core rendering framework, any user-controlled data rendered in JSX fragments could be XSS vector
   - **Impact**: Cross-site scripting in the web application

### Security-Related Configuration

From `.env.example` and `docker-compose.prod.yml`:

| Secret/Config | Risk |
|---------------|------|
| `JWT_SECRET` | Critical — if leaked, all auth tokens can be forged |
| `CLERK_SECRET_KEY` | High — Clerk admin key exposure |
| `STRIPE_SECRET_KEY` | High — payment API access |
| `STRIPE_WEBHOOK_SECRET` | High — webhook signature verification bypass |
| `DATABASE_AUTH_TOKEN` | High — Turso database access |
| `RESEND_API_KEY` | Medium — email sending abuse |
| `FCM_PRIVATE_KEY` | Medium — push notification abuse |
| `TWILIO_AUTH_TOKEN` | Medium — SMS API abuse |
| `HIBP_API_KEY` / `SECURITYTRAILS` / `CENSYS` / `SHODAN` | Medium — OSINT API abuse |

---

## Architecture Hints

### System Architecture (from README + codebase)

```
┌──────────────────────────────────────────────────────────────┐
│                        Clients                               │
│  Web (SolidStart) │ iOS (SwiftUI) │ Android (Compose) │ Ext  │
└────────────────────┬─────────────────────────────────────────┘
                     │  tRPC (HTTP/WS)
                     ▼
┌──────────────────────────────────────────────────────────────┐
│                   web/ (SolidStart)                          │
│                                                              │
│  Frontend: SolidStart + Tailwind v4                          │
│  Backend:  tRPC routers (auth, user, billing, darkwatch,     │
│            voiceprint, spamshield, hometitle, removebrokers, │
│            alerts, reports, notifications, correlation)      │
│  Background: BullMQ + Redis (ioredis) for job queues         │
│  WebSocket: ws@8.21.0 on port 3001                           │
│  Report generation: Puppeteer (headless browser)             │
│  Monitoring: Sentry (@sentry/solidstart)                     │
└────────────────────────┬──────────────────────────────────────┘
                         │
                ┌────────▼────────┐
                │   Turso (SQLite)│
                │   + Redis 7     │
                └─────────────────┘
```

### Service Domains (5 core services)

| Domain | tRPC Router | Key Dependencies | Trust Boundary |
|--------|-------------|-----------------|----------------|
| **VoicePrint** | voiceprint | WebRTC, audio upload, ML inference | Internal — requires auth |
| **DarkWatch** | darkwatch | SecurityTrails, HIBP, Censys, Shodan | External API integrations |
| **SpamShield** | spamshield | Twilio, phone number analysis | External — SMS/call API |
| **HomeTitle** | hometitle | County deed record APIs | External — public data |
| **RemoveBrokers** | removebrokers | Data broker opt-out automation | External — broker APIs |

### Trust Boundaries

| Boundary | Description | Risk |
|----------|-------------|------|
| **Internet → Web** | tRPC endpoints over HTTP | tRPC auth middleware protects most procedures |
| **Web → Redis** | BullMQ job queue | Internal, but BullMQ has its own attack surface |
| **Web → Turso** | Database via Drizzle ORM | SQL injection risk (CVE-2026-39356) |
| **Web → External APIs** | SecurityTrails, HIBP, Twilio, Stripe | API key exposure, webhook spoofing |
| **Web → WebSocket** | Real-time alerts on port 3001 | DoS (ws CVE-2024-37890), memory disclosure (ws CVE-2026-45736) |
| **Web → Puppeteer** | Report generation | SSRF, path traversal via file input |
| **Browser Extension → tRPC** | tRPC + superjson serialization | Prototype pollution chain (superjson + tRPC) |

### Highest-Risk Flows (for Phase 3 DFD prioritization)

1. **tRPC → Drizzle ORM**: User input flows through tRPC procedures into SQL queries. If identifiers are interpolated from user input, SQL injection is possible (CVE-2026-39356).

2. **tRPC → superjson → browser extension**: Serialized data from tRPC responses flows through superjson deserialization. Prototype pollution (CVE-2022-23631) could affect the extension.

3. **WebSocket → ws**: Real-time alerts use the `ws` library. Memory disclosure (CVE-2026-45736) and DoS (CVE-2024-37890) affect this transport.

4. **Puppeteer → file system**: Report generation via Puppeteer could be exploited for path traversal if file paths are user-controlled.

5. **Vite dev server → file system**: If exposed (even on `localhost`), the dev server's `server.fs.deny` has been bypassed 14+ times. Any file in the project tree is readable.

---

## Coverage Gaps

### Sources Skipped

| Source | Status | Reason |
|--------|--------|--------|
| **Source 1: Project-hosted (git log CVE grep)** | ✅ Partial | Local git available. No CVE/GHSA IDs in commit messages or project files. Security fixes referenced by internal ticket IDs (FRE-XXXX) only. |
| **Source 2: GitHub Security Advisories (`gh api`)** | ❌ Skipped | Repository is self-hosted on `git.freno.me`, not on GitHub. No GitHub API access. |
| **Source 3: OSV API** | ✅ Complete | Queried all 26 primary npm packages. 10 packages with advisories found. |
| **Source 4: NVD REST API** | ✅ Partial | CVSS scores obtained for most advisories. Recent 2025-2026 CVEs have NVD scores assigned. |
| **Source 5: WebSearch** | ❌ Skipped | OSV + NVD provided full coverage. No additional advisories expected. |

### Notable Gaps

1. **No GitHub GHSA coverage**: Since the repo is not on GitHub, GitHub Security Advisories are not searchable. Any advisories published directly through GitHub's security advisory database (not via OSV) would be missed.

2. **Internal security remediation tracking**: Git log shows 8+ commits referencing internal security reviews (FRE-4572, FRE-4807, FRE-5003, FRE-4498, FRE-4500, etc.) with fixes for "auth bypass", "P1 security findings", "JWT security issues", and "VoicePrint auth bypass". These represent **real security vulnerabilities** in the project's own codebase, but their details are not publicly documented in CVE/GHSA format.

3. **Android/iOS app vulnerabilities**: Native mobile apps (iOS/SwiftUI, Android/Kotlin) are not covered by npm/OSV/NVD. Potential native-level vulnerabilities (certificate pinning, root detection, encrypted storage) are not assessed in this advisory pass.

4. **Infrastructure-as-code**: Dockerfile and docker-compose.prod.yml are not analyzed for container security vulnerabilities (base image CVEs, non-root user verification, etc.).

5. **Stripe integration**: No Stripe-specific CVEs found, but the integration uses `stripe-js` v9.6.0 and `stripe` v22.1.1. Stripe library security should be cross-referenced with Stripe's own advisory process.

---

## Audit Targeting Recommendations

Based on the advisory pattern analysis:

### Phase 3 DFD Prioritization
- **Drizzle ORM + tRPC procedures** — SQL injection vector (CVE-2026-39356). Map all 12+ tRPC routers for identifier injection.
- **WebSocket transport (ws)** — Memory disclosure + DoS (CVE-2026-45736, CVE-2024-37890). Map the real-time alert flow.
- **Vite dev server** — Path traversal lineage. Assess if dev server is exposed in any deployment.

### Phase 5 Deep Probe Entry Points
- **tRPC input validation** — User data flows through valibot (ReDoS risk) into tRPC into Drizzle (SQLi risk).
- **superjson deserialization** — Prototype pollution chain in browser extension.
- **Puppeteer report generation** — File path handling, SSRF potential.
- **WebSocket message handling** — Message size limits, frame parsing.

### Phase 10 Attack Mode Chambers
- **SQL Injection** (CWE-89) — Mandatory for all tRPC procedures touching Drizzle
- **Path Traversal** (CWE-22) — Mandatory for any file-path handling (Vite, Puppeteer)
- **Prototype Pollution** (CWE-1321) — Mandatory for superjson/tRPC serialization
- **ReDoS** (CWE-1333) — Mandatory for valibot input validation
- **XSS** (CWE-79) — Mandatory for SolidJS JSX rendering of user data
- **Resource Exhaustion** (CWE-770) — Mandatory for jose (JWE) and ws (HTTP headers)

### Patch-Bypass-Checker Structural Recurrence
- **Vite `server.fs.deny`** — 14+ distinct bypass techniques across versions. This is a structural-recurrence component. The entire path resolution model should be re-evaluated rather than applying piecemeal patches.