• Joined on 2026-04-12
Hartmut closed issue Hartmut/Nexus#58 2026-04-17 09:30:58 +02:00
Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion
Hartmut commented on issue Hartmut/Nexus#58 2026-04-17 09:30:57 +02:00
Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion

Acceptance criteria met. pnpm audit --audit-level=moderate on main:

1 vulnerabilities found
Severity: 1 moderate

Resolved upgrades (main commit 534945f):

  • dompurify → 3.3.4+…
Hartmut commented on issue Hartmut/Nexus#46 2026-04-17 09:29:43 +02:00
Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext

Resolved across two commits, covering both the stdout logger and the DB audit path.

Layer A — pino stdout redact (main commit 534945f, verified at packages/api/src/lib/logger.ts:8-40): Reda…

Hartmut closed issue Hartmut/Nexus#46 2026-04-17 09:29:43 +02:00
Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext
Hartmut commented on issue Hartmut/Nexus#43 2026-04-17 09:29:25 +02:00
Security [HIGH]: MFA TOTP replay-race + missing backup codes

Part 1 — TOTP replay race — resolved in commit 3222bec (security: atomic compare-and-swap for TOTP replay window).

  • New helper packages/api/src/lib/totp-consume.ts::consumeTotpWindow()
Hartmut closed issue Hartmut/Nexus#43 2026-04-17 09:29:25 +02:00
Security [HIGH]: MFA TOTP replay-race + missing backup codes
Hartmut closed issue Hartmut/Nexus#49 2026-04-17 09:29:06 +02:00
Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection
Hartmut closed issue Hartmut/Nexus#45 2026-04-17 09:29:05 +02:00
Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
Hartmut commented on issue Hartmut/Nexus#48 2026-04-17 09:29:05 +02:00
Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata

Resolved in commit c0c5f76 (security: bound JSONB inputs + whitelist batchUpdateCustomFields keys). Resource.dynamicFields merge now goes through a whitelist of known keys; attacker-controlled…

Hartmut closed issue Hartmut/Nexus#48 2026-04-17 09:29:05 +02:00
Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata
Hartmut commented on issue Hartmut/Nexus#49 2026-04-17 09:29:05 +02:00
Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection

Resolved in commit 4ff7bc9 (security: SSRF guard covers IPv6 + DNS-rebind defence via pinned IP).

SSRF-guard (packages/api/src/lib/ssrf-guard.ts) — blocks full IPv4 private space…

Hartmut closed issue Hartmut/Nexus#42 2026-04-17 09:29:04 +02:00
Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production
Hartmut commented on issue Hartmut/Nexus#44 2026-04-17 09:29:04 +02:00
Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access

Resolved in commit b32160d (security: default-deny /api middleware allowlist). The web app middleware now allowlists known public /api/* routes; new routes default to auth-required.

Hartmut closed issue Hartmut/Nexus#44 2026-04-17 09:29:04 +02:00
Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access
Hartmut commented on issue Hartmut/Nexus#45 2026-04-17 09:29:04 +02:00
Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP

Resolved in commit d1075af (security: tighten CSP — drop provider wildcards, add object/frame/worker-src).

apps/web/src/middleware.ts::buildCsp() now returns:

  • connect-src 'self' (was…
Hartmut commented on issue Hartmut/Nexus#40 2026-04-17 09:29:03 +02:00
Security [HIGH]: Login timing attack enables user-email enumeration

Resolved in commit 0303063 (security: constant-time authorize + uniform audit summaries). Authorize path now runs Argon2 verify against a dummy hash when the user is missing, and audit summaries…

Hartmut closed issue Hartmut/Nexus#40 2026-04-17 09:29:03 +02:00
Security [HIGH]: Login timing attack enables user-email enumeration
Hartmut commented on issue Hartmut/Nexus#41 2026-04-17 09:29:03 +02:00
Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure

Resolved in commit d45cc00 (security: cookie + session hardening). Secure flag enforced in prod, concurrent-session cap implemented, JTI no longer surfaced in responses.

Hartmut closed issue Hartmut/Nexus#41 2026-04-17 09:29:03 +02:00
Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
Hartmut commented on issue Hartmut/Nexus#42 2026-04-17 09:29:03 +02:00
Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production

Resolved in commit 93a7fba (security: fail-fast dev-bypass flag in production). The auth bootstrap throws at startup if E2E_TEST_MODE=1 is set while NODE_ENV=production.