AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or package-persistence attack surface is present. At application runtime, an HTTP error interceptor renders server-provided error fields as HTML in a toast.
Static reason
No blocking static signals were detected.
Trigger
A consuming Angular application receives an HTTP error response with attacker-controlled error content.
Impact
Potential client-side script injection in the consuming application.
Mechanism
Server-controlled error data passed to an HTML-enabled toast.
Rationale
The package is not malicious by source inspection, but it contains a concrete HTML-injection risk in its error-display path. Its remaining code is conventional Angular guards, interceptors, CSP setup, and configured API calls.
Evidence
package.jsonesm2022/lib/error/http-error.interceptor.mjsesm2022/lib/user-provider.service.mjsesm2022/lib/initializers/initialize-csp.mjsesm2022/lib/interceptors/zone-offset.interceptor.mjsfesm2022/valtimo-security.mjs
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `HttpErrorInterceptor` builds messages from HTTP error fields and enables HTML rendering.
- A crafted server error title/detail/message can reach the toast HTML sink.
Evidence against
- `package.json` has no lifecycle scripts, bin, or install-time entrypoint.
- No child-process, filesystem, dynamic-code, credential-harvesting, or exfiltration primitives found in `.mjs` files.
- The only HTTP calls target a consumer-configured `valtimoApi.endpointUri` for notification settings.
Behavioral surface
UrlStrings
CopyleftLicense
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium2 Low
MediumAi Review Evidence
MediumAi Review Evidence
LowUrl Strings
LowCopyleft License