SCAN DATE: 2026-04-02 · THRESHER v0.2.2 · 22 scanners + 8 AI analysts

BuilderIO/agent-native

Security Scan Report

Verdict
FIX DEPS BEFORE USE
2 Critical 17 High (scanner) + 13 High (AI) 11 Medium
// Executive Summary

Automated multi-tool security scanning (SCA, SAST, IaC, secrets detection) of this JavaScript/Node.js project produced 518 findings across six tools. No P0-level indicators were detected. However, synthesis elevated rollup (CVE-2026-27606) from High to Critical based on NVD CVSS 9.8.

AI analysts independently discovered 14 additional high-severity application security vulnerabilities that no scanner caught — including an IDOR, path traversals, stored XSS, and SQL injection.

DO NOT USE — CVE-2026-27606 ([email protected], CVSS 9.8) must be resolved before any production deployment.
Required Mitigations
  • Upgrade rollup to ≥4.59.0 (resolves Critical CVE-2026-27606)
  • Remediate all High-severity dependency vulnerabilities
  • Rotate exposed API key in templates/slides/scripts/fetch-logos.ts
  • Re-scan after remediation to verify resolution
// Findings Distribution
518 scanner findings
P0: 0
CRIT: 1
HIGH: 17
MED: 11
LOW: 352
28 AI analyst findings
CRIT: 1
HIGH: 14
MED: 11
LOW: 3
// Scanner Findings

Top 10 by severity

# Severity Package & Title CVE CVSS
1 Critical [email protected] — Arbitrary File Write via Path Traversal CVE-2026-27606 9.8
2 High [email protected] — DoS via Uncontrolled Recursion CVE-2026-3520 8.7
3 High [email protected] — ReDoS via Repeated Wildcards CVE-2026-26996 8.7
4 High [email protected] — DoS via Resource Exhaustion CVE-2026-2359 8.7
5 High [email protected] — Code Injection via _.template CVE-2026-4800 8.1
6 High @remix-run/[email protected] — XSS via Open Redirects CVE-2026-22029 8.0
7 High [email protected] — WebSocket Unhandled Exception CVE-2026-2229 7.5
8 High [email protected] — WebSocket 64-bit Length Overflow CVE-2026-1528 7.5
9 High [email protected] — Unbounded Memory in WebSocket CVE-2026-1526 7.5
10 High [email protected] — Ed25519 Signature Forgery CVE-2026-33895 7.5
// What scanners missed

AI Analyst Findings

8 AI security analysts examined the codebase for threats that traditional tools can't detect.

Critical
IDOR: Missing Ownership Check on Resource Update/Delete
Critical
packages/core/src/resources/handlers.ts:227-273
Any authenticated user can overwrite or delete any other user's resources by knowing their resource ID. No ownership validation occurs before mutation operations.
Confidence: 97%
Analyst 5: App Pentester
High
GitHub Actions Shell Injection via workflow_dispatch
High
.github/workflows/desktop-release.yml:32,76,104
User-controlled workflow_dispatch inputs are interpolated directly into shell commands. An attacker can inject shell commands to exfiltrate Apple signing certificates, npm tokens, and APPLE_ID credentials.
Confidence: 95%
Analyst 1 Analyst 2 Analyst 4 Analyst 5 Analyst 7
Path Traversal via startsWith() Prefix Bypass
High
templates/analytics/server/handlers/ai-instructions.ts:130,228
Path validation uses startsWith() which can be bypassed. Allows reading arbitrary files on the server; admin users can write to arbitrary paths via .builder/../../.env.
Confidence: 92%
Analyst 2: Behaviorist
Stored XSS via Regex-Based HTML Sanitizer Bypass
High
templates/calendar/app/lib/sanitize-description.ts:2-9
Custom regex sanitizer misses javascript: URIs, unquoted event handlers, and SVG-based XSS vectors. Attacker-controlled calendar descriptions execute arbitrary JavaScript in other users' browsers.
Confidence: 88%
Analyst 2: Behaviorist
Hardcoded High-Entropy API Key
High
templates/slides/scripts/fetch-logos.ts:2
86-character credential hardcoded in source and exposed in git history. Grants access to external API services. Requires immediate rotation.
Confidence: 99%
Analyst 2 Analyst 3 Analyst 5 Analyst 7
Wildcard postMessage Exposes Credentials
High
packages/core/src/client/agent-chat.ts:67
API keys, user prompts, and PII are broadcast via postMessage with wildcard origin ("*"), allowing any cross-origin iframe to intercept sensitive data.
Confidence: 90%
Analyst 2 Analyst 5 Analyst 6 Analyst 7
Hono Auth Bypass via IP Spoofing
High
[email protected] — GHSA-xh87-mx6m-69f3
Hono framework trusts X-Forwarded-For header for IP-based authentication decisions. Attacker can spoof source IP to bypass access controls. CVSS 8.2.
Confidence: 99%
Analyst 2: Behaviorist
PTY Resize: Unvalidated Integers to C++ FFI
High
packages/core/src/terminal/pty-server.ts:280-281
Terminal resize dimensions (cols/rows) are passed directly to a native C++ binding without validation. Floats, NaN, or Infinity values cause undefined behavior in the FFI layer.
Confidence: 80%
Analyst 6: Memory Exploiter
Undici WebSocket 64-bit Frame Length Overflow
High
packages/core/src/terminal/pty-server.ts:58 · [email protected]
WebSocket frame parser in undici does not handle 64-bit length fields correctly. Malicious frame causes hard crash with no recovery path.
Confidence: 90%
Analyst 6: Memory Exploiter
Undici WebSocket Unbounded Heap Growth
High
packages/core/src/terminal/pty-server.ts:58 · [email protected]
Compressed WebSocket frames are accumulated without memory limits, allowing a malicious peer to trigger out-of-memory conditions.
Confidence: 88%
Analyst 6: Memory Exploiter
User-Controlled RegExp: Server-Side ReDoS
High
templates/calendar/server/handlers/bookings.ts:124-128
new RegExp(field.pattern) constructs a regex from user input with no complexity bound. Attacker-crafted patterns cause catastrophic backtracking, blocking the event loop.
Confidence: 85%
Analyst 6: Memory Exploiter
SQL Injection via ATTACH DATABASE Bypass
High
templates/analytics/server/handlers/sql-query.ts:25,35-45
SQL query handler uses a DML blocklist that fails to account for ATTACH DATABASE, PRAGMA, and load_extension() statements. Attacker can escape the intended SQLite sandbox.
Confidence: 82%
Analyst 6: Memory Exploiter
node-forge Signature Forgery (3 CVEs)
High
[email protected]
Ed25519 signature forgery, RSA-PKCS#1 v1.5 signature forgery, and basicConstraints CA bypass. Three distinct CVEs allowing certificate chain manipulation and identity spoofing.
Confidence: 88%
Analyst 6: Memory Exploiter
Dynamic npx Package Execution at Runtime
High
packages/core/src/terminal/pty-server.ts:155-159
Application downloads and executes npm packages via npx at runtime without integrity checks or version pinning. A compromised registry or typosquatted package leads to arbitrary code execution.
Confidence: 75%
Analyst 6: Memory Exploiter
@anthropic-ai/sdk Memory Tool Sandbox Escape
High
@anthropic-ai/[email protected] · CVE-2026-34451
Path validation in the SDK's memory tool uses prefix collision that can be bypassed to read/write files outside the intended sandbox directory.
Confidence: 99%
Analyst 2 Analyst 3
Medium — 11 findings
OAuth CSRF via hardcoded fallback key
google-oauth.ts:52-54
Confidence: 90%
Session token in URL query parameter
auth.ts:303-318
Confidence: 97%
CORS wildcard on all API endpoints
create-server.ts:135-156
Confidence: 95%
Rate limiting bypass via X-Forwarded-For
auth.ts:79-81
Confidence: 88%
NODE_ENV=test disables all auth
auth.ts:244-283
Confidence: 92%
postMessages accepted without origin validation
harness.ts:32-54
Confidence: 90%
JWT decoded without signature verification
track-metric.ts:65-70
Confidence: 82%
25 unique HIGH CVEs in dependencies
pnpm-lock.yaml
Confidence: 97%
Unpinned GitHub Actions (tag-based)
publish.yml:31,37,43,48
Confidence: 90%
Shell injection in publish.yml
publish.yml:71
Confidence: 75%
dangerouslySetInnerHTML without sanitization
IssueDescription.tsx
Confidence: 65%
// Infrastructure & Trust Assessment

Repository health signals

! Single maintainer (bus factor = 1) — 100% commits from one person
! No SECURITY.md — no vulnerability disclosure process
! No release tags — no signed commits
// Dependency Upgrades

Remediation path

Package Previous Fixed Severity CVEs
rollup 4.46.2 4.59.0 Critical 9.8 CVE-2026-27606
multer 2.0.2 2.1.1 High 8.7 CVE-2026-3520, CVE-2026-2359
minimatch 9.0.5 9.0.7 High 8.7 CVE-2026-26996, CVE-2026-27903, CVE-2026-27904
hono 4.12.1 4.12.4 High 8.2 GHSA-xh87-mx6m-69f3, GHSA-q5qw-h33p-qvwr
lodash 4.17.21 4.18.0 High 8.1 CVE-2026-4800
@remix-run/router 1.23.0 1.23.2 High 8.0 CVE-2026-22029
undici 7.23.0 7.24.0 High 7.5 CVE-2026-2229, CVE-2026-1528, CVE-2026-1526
node-forge 1.3.3 1.4.0 High 7.5 CVE-2026-33895, CVE-2026-33894
path-to-regexp 8.2.0 / 8.3.0 8.4.0 High 7.5 CVE-2026-4926
picomatch 2.3.1 / 3.0.1 / 4.0.3 4.0.4 High 7.5 CVE-2026-33671
fast-xml-parser 5.5.3 5.5.6 High 7.5 CVE-2026-33036
glob 10.4.5 10.5.0 High 7.5 CVE-2025-64756
@anthropic-ai/sdk 0.80.0 0.81.0 Medium 6.3 CVE-2026-34451
// Remediation

What was fixed

PR #127 — Security Remediation

Based on this scan, Thresher generated a remediation PR that resolved 2 Critical, 28 High, and 5 Medium findings — including 13 dependency upgrades, 12 application security fixes, 1 secret rotation, and 6 CI/CD hardening measures.

View PR #127 on GitHub →

Application Security Fixes
  • IDOR ownership check
  • Path traversal fix
  • XSS sanitizer rewrite
  • SQL injection hardening
  • OAuth CSRF fix
  • NODE_ENV auth bypass fix
  • ReDoS complexity limit
  • PTY input validation
  • Rate limiting fix
  • CORS origin whitelist
  • Session token moved to headers
  • postMessage origin validation
  • dangerouslySetInnerHTML sanitization
Scan Pipeline Details
22 Scanners
grype
trivy
osv-scanner
semgrep
gitleaks
checkov
bandit
clamav
guarddog
guarddog-deps
yara
entropy
install-hooks
semgrep-supply-chain
registry-meta
deps-dev
+ 6 others
8 AI Analyst Personas
The Paranoid
The Behaviorist
The Investigator
Vuln Pentester
App Pentester
Memory Exploiter
Infra Auditor
The Shadowcatcher

Adversarial verification: An independent agent challenges all AI findings, filtering false positives and validating exploit paths.

Synthesis: Cross-track agreement analysis with priority elevation/downgrade logic. Scanner and AI findings are merged, deduplicated, and ranked by composite severity.

_/| ______/ | _____/ __ | ___/ \__/ \ / / _ \__/ | __-~ \--~ \/

Run this on your own dependencies.

$ brew tap thresher-sh/thresher && brew install thresher copied!