registry  /  @valtimo/security  /  12.40.0

@valtimo/security@12.40.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time or package-persistence attack surface is present. At application runtime, an HTTP error interceptor renders server-provided error fields as HTML in a toast.

Static reason
No blocking static signals were detected.
Trigger
A consuming Angular application receives an HTTP error response with attacker-controlled error content.
Impact
Potential client-side script injection in the consuming application.
Mechanism
Server-controlled error data passed to an HTML-enabled toast.
Rationale
The package is not malicious by source inspection, but it contains a concrete HTML-injection risk in its error-display path. Its remaining code is conventional Angular guards, interceptors, CSP setup, and configured API calls.
Evidence
package.jsonesm2022/lib/error/http-error.interceptor.mjsesm2022/lib/user-provider.service.mjsesm2022/lib/initializers/initialize-csp.mjsesm2022/lib/interceptors/zone-offset.interceptor.mjsfesm2022/valtimo-security.mjs

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `HttpErrorInterceptor` builds messages from HTTP error fields and enables HTML rendering.
  • A crafted server error title/detail/message can reach the toast HTML sink.
Evidence against
  • `package.json` has no lifecycle scripts, bin, or install-time entrypoint.
  • No child-process, filesystem, dynamic-code, credential-harvesting, or exfiltration primitives found in `.mjs` files.
  • The only HTTP calls target a consumer-configured `valtimoApi.endpointUri` for notification settings.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 16 file(s), 93.2 KB of source, external domains: joinup.ec.europa.eu

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Medium2 Low
MediumAi Review Evidence
MediumAi Review Evidence
LowUrl Strings
LowCopyleft License