Skip to content

Security audit — 2026-06-19#68

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-19
Open

Security audit — 2026-06-19#68
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-19

Conversation

@versila22

Copy link
Copy Markdown
Owner

Summary

  • C=0 H=4 M=4 L=1 Info=1 new findings
  • Critical issue: hardcoded plaintext admin password (Admin1234!) in seed data committed to repo
  • Unauthenticated /health/db endpoint leaks DB URL prefix (host/user/partial password)
  • User enumeration via distinct login error messages
  • 4 High-severity npm dependencies with known CVEs (serialize-javascript RCE, undici TLS bypass, fast-uri path traversal)

Top 3 fixes

  1. Hardcoded seed passwords — replace with env vars or generated one-time tokens; never commit plaintext creds, especially for admin@lima-impro.fr
  2. Unauthenticated health endpoints — add require_admin dependency to /health/db and /health/migrations in main.py
  3. User enumeration — unify login error to a single "Identifiants invalides." message regardless of whether email is absent or password is wrong

Test plan

  • Verify admin seed password is not in use on production DB, or rotated immediately
  • Confirm /health/db returns 401/403 for unauthenticated requests after fix
  • Verify login returns identical error for unknown email vs wrong password
  • Run npm audit fix and review breaking changes for serialize-javascript, undici, fast-uri
  • Manually verify security headers on live URL (DAST was blocked by CDN in this run)

🤖 Generated with Claude Code


Generated by Claude Code

…-05-29)

No prior reports to clean up (first run).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant