registry  /  @claude-sessions/web  /  0.5.4

@claude-sessions/web@0.5.4

Web UI for Claude Code session management

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The running web UI exposes an unauthenticated command-injection sink at `/api/open-file`. Its default server host is `0.0.0.0`, making network reachability possible when the port is exposed.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Send a POST request to `/api/open-file` after the user starts `claude-sessions-web`.
Impact
Remote command execution as the user running the web server; additional unauthenticated APIs can delete session data or stop the server.
Mechanism
Untrusted `filePath` is interpolated into a shell command passed to `child_process.exec`.
Rationale
This is a concrete critical runtime command-injection vulnerability, not evidence of malicious install-time behavior. Source inspection found no lifecycle hook, exfiltration, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/cli.jsbuild/index.jsbuild/server/chunks/entries/endpoints/api/open-file/_server.ts.js-DlHnselq.jsbuild/server/chunks/manifest.js-CpYsCwXz.jsbuild/server/chunks/entries/endpoints/api/shutdown/_server.ts.js-B3QgQkvz.js
Network endpoints4
0.0.0.0/api/open-file/api/shutdown/api/cleanup

Decision evidence

public snapshot
AI called this Suspicious at 99.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `/api/open-file` accepts arbitrary JSON `filePath`.
  • Endpoint interpolates `filePath` into `child_process.exec`.
  • A quote in `filePath` can terminate the shell-quoted argument.
  • Server defaults to host `0.0.0.0`; no auth hook was found.
  • Runtime also exposes unauthenticated destructive session/shutdown APIs.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks.
  • CLI only starts the bundled local web server.
  • No package code exfiltration or external network endpoint was found.
  • No AI-agent configuration mutation was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 680 file(s), 20.1 MB of source, external domains: datatracker.ietf.org, github.com, html.spec.whatwg.org, jh3y.medium.com, my.site, svelte.dev, www.w3.org

Source & flagged code

5 flagged · loading source
build/client/_app/immutable/chunks/DZ92xsNj.jsView file
27${r.join(` L28: `)}`),super(o),this._tag=t,this.traces=r,this[jm]=fM,this.name=s,this.stack=a}pipe(){return Ue(this,arguments)}toString(){return this.stack}[jt](){return this.stack}}class hM exten... L29: `,e.forest),_k=(e,t)=>{let n="";const r=t.length;let i;for(let s=0;s<r;s++){i=t[s];const o=s===r-1;n+=e+(o?"└":"├")+"─ "+i.value,n+=_k(e+(r>1&&!o?"│ ":" "),i.forest)}return n},R...
Low
Eval

Package source references a known benign dynamic code generation pattern.

build/client/_app/immutable/chunks/DZ92xsNj.jsView on unpkg · L27
build/server/chunks/chunks/tsx.js-ChmZV8v1.jsView file
1const lang = Object.freeze(JSON.parse(`{"displayName":"TSX","name":"tsx","patterns":[{"include":"#directives"},{"include":"#statements"},{"include":"#shebang"}],"repository":{"acce... L2: const tsx = [
Medium
Dynamic Require

Package source references dynamic require/import behavior.

build/server/chunks/chunks/tsx.js-ChmZV8v1.jsView on unpkg · L1
build/client/_app/immutable/nodes/0.qqC0VZrZ.js.brView file
path = build/client/_app/immutable/nodes/0.qqC0VZrZ.js.br kind = high_entropy_blob sizeBytes = 5097 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

build/client/_app/immutable/nodes/0.qqC0VZrZ.js.brView on unpkg
path = build/client/_app/immutable/nodes/0.qqC0VZrZ.js.br kind = compressed_blob sizeBytes = 5097 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/client/_app/immutable/nodes/0.qqC0VZrZ.js.brView on unpkg
build/server/chunks/index.js-DMVmBfDO.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claude-sessions/web@0.5.2 matchedIdentity = npm:QGNsYXVkZS1zZXNzaW9ucy93ZWI:0.5.2 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/server/chunks/index.js-DMVmBfDO.jsView on unpkg

Findings

2 High6 Medium7 Low
HighShips High Entropy Blobbuild/client/_app/immutable/nodes/0.qqC0VZrZ.js.br
HighPrevious Version Dangerous Deltabuild/server/chunks/index.js-DMVmBfDO.js
MediumDynamic Requirebuild/server/chunks/chunks/tsx.js-ChmZV8v1.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobbuild/client/_app/immutable/nodes/0.qqC0VZrZ.js.br
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbuild/client/_app/immutable/chunks/DZ92xsNj.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings