AI Security Review
scanned 3h ago · by lpm-firewall-aiAuthenticated SSO setup obtains a Label Studio JWT and stores it in a JavaScript-readable cookie. This is a concrete token-exposure risk, not evidence of malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
An authenticated user requests `/label-studio/sso/setup` while SSO is configured.
Impact
A same-site script injection could read and reuse the SSO token until expiry.
Mechanism
Config-driven Label Studio API/SSO integration with a non-HttpOnly shared cookie.
Rationale
The package is not malicious by source inspection, but its explicit JavaScript-readable SSO token cookie is a real security weakness. Treat as a warning until the cookie is made HttpOnly or the exposure is otherwise justified and mitigated.
Evidence
package.jsondist-server/index.jsdist-server/route/label-studio-sso.jsdist-server/service/label-studio-sso-service.jsdist-server/utils/label-studio-api-client.jsdist-server/route.jsconfig/config.development.jsconfig/config.production.js
Network endpoints2
localhost:8080/api/sso/tokenlabel.hatiolab.localhost:8080
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist-server/route/label-studio-sso.js` sets the Label Studio JWT cookie with `httpOnly: false`.
- The same route shares that bearer-style SSO token across a configured cookie domain.
Evidence against
- `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
- Runtime imports register Koa routes and bootstrap logging only.
- Network calls target the operator-configured Label Studio URL using its configured API token.
- No child-process, shell, eval/vm, filesystem-write, payload-loading, or AI-agent-control writes found.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist-server/route/label-studio-sso.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist-server/route/label-studio-sso.js` sets the Label Studio JWT cookie with `httpOnly: false`.
dist-server/route/label-studio-sso.jsView on unpkgFindings
4 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist-server/route/label-studio-sso.js
MediumAi Review Evidence
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings