Skip to content

Security Scan: Vulnerabilities detected by ansede-static #415

Description

@mattybellx

Security Findings — nodegoat

Hi maintainers!

An automated scan of this repository using ansede-static (a free, open-source, zero-dependency SAST engine scanning 8 languages) identified the following potential security vulnerabilities:


Summary

Severity Count
Critical 1
High 2

Findings

1. CWE-95: Code injection via eval() at line 33 [+9 related]

Detail Value
Rule JS-004
CWE CWE-95
Severity CRITICAL
Confidence 1.00
File C:\Users\matth\OneDrive\Desktop\ansede-static-focus\tmp\clones\nodegoat\app\routes\contributions.js:33
Analysis incident-cluster

Description: CWE-95: Code injection via eval() at line 33 [+9 related]

Recommendation: N/A


2. CWE-601: Open redirect via tainted variable at line 72 [+1 related]

Detail Value
Rule JS-039
CWE CWE-601
Severity HIGH
Confidence 1.00
File C:\Users\matth\OneDrive\Desktop\ansede-static-focus\tmp\clones\nodegoat\app\routes\index.js:72
Analysis incident-cluster

Description: CWE-601: Open redirect via tainted variable at line 72 [+1 related]

Recommendation: N/A


3. CWE-918: SSRF via tainted variable at line 16

Detail Value
Rule JS-040
CWE CWE-918
Severity HIGH
Confidence 0.96
File C:\Users\matth\OneDrive\Desktop\ansede-static-focus\tmp\clones\nodegoat\app\routes\research.js:16
Analysis syntax-ast

Description: CWE-918: SSRF via tainted variable at line 16

Recommendation: N/A


About ansede-static

ansede-static is a free, open-source, zero-dependency SAST engine that scans code for security vulnerabilities across 7 languages (Python, JavaScript, TypeScript, Java, C#, Go, Ruby, PHP).

To reproduce: pip install ansede-static && ansede-static /path/to/repo


This is an automated responsible disclosure notification generated by ansede-static v2.3.0-dev. Please review the findings above at your earliest convenience.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions