Parent tracker for the confirmed findings of a multi-agent security audit of the Node + Vue stacks (auth / authz / identity, config env-gating, input handling, supply chain). Each finding was adversarially verified (two independent skeptics + a tiebreak per finding); 19 confirmed out of 36 raw candidates. Refuted candidates (uploads IDOR, multer MIME/size guards, JWT-cookie Secure flag, path-to-regexp ReDoS, stale .snyk files) are intentionally not filed.
Sub-issues
- S1 (Node) β OAuth callback trusts client-asserted identity β pre-auth account takeover Β· critical
- S2 (Node) β Mass assignment on signup (
emailVerified / providerData client-settable) Β· high
- S3 (Node) β Org self-join via shadowed
Organization policy subject Β· high
- S4 (Node) β Production env-gate defect class: error leak + swagger / mongoose-debug / rate-limiter defaults Β· medium + low
- S5 (Node) β Hardening bundle: login timing oracle,
sharp resize DoS, dependabot auto-merge, prod deps Β· low
- S6 (Vue) β Hardening bundle: reverse tabnabbing, href scheme, console credential logging, security headers,
npm ci, stale deploy key Β· low
Sibling epic: #3804 (Auth & session hardening). Related: #3825 (email-change emailVerified reset), #3833 (invitations scoping).
Each sub-issue ships through the normal stack flow (/feature β /verify β PR). Order: S1 β S2 β S3 first (server-side trust boundaries), then S4, then S5 / S6.
Created via /dev:issue
Parent tracker for the confirmed findings of a multi-agent security audit of the Node + Vue stacks (auth / authz / identity, config env-gating, input handling, supply chain). Each finding was adversarially verified (two independent skeptics + a tiebreak per finding); 19 confirmed out of 36 raw candidates. Refuted candidates (uploads IDOR, multer MIME/size guards, JWT-cookie Secure flag, path-to-regexp ReDoS, stale
.snykfiles) are intentionally not filed.Sub-issues
emailVerified/providerDataclient-settable) Β· highOrganizationpolicy subject Β· highsharpresize DoS, dependabot auto-merge, prod deps Β· lownpm ci, stale deploy key Β· lowSibling epic: #3804 (Auth & session hardening). Related: #3825 (email-change
emailVerifiedreset), #3833 (invitations scoping).Each sub-issue ships through the normal stack flow (
/featureβ/verifyβ PR). Order: S1 β S2 β S3 first (server-side trust boundaries), then S4, then S5 / S6.Created via /dev:issue