registry  /  homebridge-smartthings-km81  /  1.8.25

homebridge-smartthings-km81@1.8.25

Unified Homebridge plugin for Samsung devices via SmartThings (legacy AC over TLSv1, modern AC, washer/dryer with notification sensors).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

At runtime, the plugin starts an unauthenticated HTTP server on port 8999 for OAuth/webhook handling. Any POST carrying a SmartThings-shaped confirmation object can make it issue an outbound HTTPS request to an attacker-selected URL.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A network client sends a POST request to the running OAuth server.
Impact
An attacker able to reach port 8999 may use the Homebridge host for HTTPS requests to reachable destinations.
Mechanism
Unauthenticated webhook confirmation URL fetch (SSRF).
Rationale
The package is not malicious by source inspection, but its unauthenticated webhook confirmation fetch creates a concrete runtime SSRF risk. The bundled TLS key and disabled verification are security concerns aligned with its legacy-device protocol, not evidence of an attack chain.
Evidence
package.jsonindex.jslib/auth/OAuthServer.jslib/api/SmartThingsClient.jslib/api/LegacyACClient.jslib/accessories/LegacyAC.jscert/cert.pem
Network endpoints3
api.smartthings.com/v1api.smartthings.com/oauth/tokenapi.smartthings.com/oauth/authorize

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • lib/auth/OAuthServer.js accepts any POST confirmationUrl and calls https.get on it.
  • OAuth server listens on port 8999 without authentication or source validation.
  • cert/cert.pem bundles a private key and client certificate material.
  • lib/api/LegacyACClient.js disables TLS certificate verification for legacy AC traffic.
Evidence against
  • package.json has no preinstall, install, postinstall, or bin hooks.
  • Network calls otherwise target SmartThings OAuth/API or configured local legacy-AC IPs.
  • Token reads/writes stay in Homebridge's persistPath with mode 0600.
  • No child_process, eval/vm, dynamic loading, environment harvesting, or AI-agent control-surface writes found.
  • LegacyAC.js implements device-control and state logic; the flagged new file is package-aligned.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 139 KB of source, external domains: api.smartthings.com

Source & flagged code

3 flagged · loading source
cert/cert.pemView file
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

cert/cert.pemView on unpkg · L5
5patternName = private_key_rsa severity = critical line = 5 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in cert/cert.pem

cert/cert.pemView on unpkg · L5
lib/accessories/LegacyAC.jsView file
matchType = previous_version_dangerous_delta matchedPackage = homebridge-smartthings-km81@1.8.23 matchedIdentity = npm:[redacted]:1.8.23 similarity = 0.571 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/accessories/LegacyAC.jsView on unpkg

Findings

2 Critical1 High1 Medium3 Low
CriticalCritical Secretcert/cert.pem
CriticalSecret Patterncert/cert.pem
HighPrevious Version Dangerous Deltalib/accessories/LegacyAC.js
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings