registry  /  @ottocode/server  /  0.1.355

@ottocode/server@0.1.355

HTTP API server for ottocode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The runtime server exposes unauthenticated local API routes. Its permissive CORS and private-network response header permit an arbitrary web origin to call those routes, including terminal creation.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A victim visits a malicious website while an Ottocode server using this app is running on localhost.
Impact
Remote website can execute commands with the local server user's privileges.
Mechanism
Cross-origin localhost API access leading to arbitrary terminal command execution.
Rationale
Source inspection confirms a critical runtime access-control flaw that exposes command execution, but no malicious install-time behavior or covert payload was found. Downgrade to warn as a critical vulnerability rather than publish-blocking malware.
Evidence
package.jsonsrc/index.tssrc/tunnel-auth.tssrc/routes/terminals.tssrc/routes/terminals/service.ts

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/index.ts` reflects every Origin while enabling credentials and private-network access.
  • `src/tunnel-auth.ts` bypasses authentication for all non-tunneled localhost requests.
  • `src/routes/terminals/service.ts` accepts caller-controlled command, args, and cwd to create a terminal.
  • A browser-originated request can reach the unauthenticated terminal API when the local server is running.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall lifecycle hooks.
  • No source evidence shows covert credential harvesting, exfiltration, or stealth persistence.
  • Terminal and agent-server features appear aligned with the package's stated HTTP-server purpose.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 422 file(s), 1.38 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.ottorouter.org, api.share.ottocode.io, attacker.test, chatgpt.com, cli-chat-proxy.grok.com, github.com, huggingface.co, ollama.com

Source & flagged code

1 flagged · loading source
src/runtime/context/references.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @ottocode/server@0.1.354 matchedIdentity = npm:QG90dG9jb2RlL3NlcnZlcg:0.1.354 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/runtime/context/references.tsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltasrc/runtime/context/references.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License