registry  /  iobroker.aura  /  0.18.5

iobroker.aura@0.18.5

Modern visualization dashboard for ioBroker

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Runtime HTTP(S)/WebSocket proxy endpoints accept caller-supplied destinations. This creates an SSRF-style capability and disables TLS validation in the web-extension proxy, but no malicious exfiltration or payload chain is present.

Static reason
No blocking static signals were detected.
Trigger
A user or reachable client requests `/proxy` or `/aura/proxy` with a target URL; adapter messages can request an adapter upgrade.
Impact
May reach network services accessible from the ioBroker host or invoke a validated adapter upgrade through the host controller.
Mechanism
User-directed proxying and ioBroker host command forwarding.
Rationale
Source inspection does not establish malicious behavior, but the exposed arbitrary proxy and host upgrade capability are meaningful unresolved security risks. Downgrade to warn rather than block.
Evidence
package.jsonmain.jslib/webExtension.jswww/assets/echarts-Cv-_nZ52.js

Decision evidence

public snapshot
AI called this Suspicious at 85.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `main.js` exposes `/proxy` for arbitrary `http:`/`https:` URLs.
  • `main.js` rewrites proxied HTML and injects WebSocket/XHR/fetch interceptors.
  • `lib/webExtension.js` registers equivalent arbitrary HTTP(S) and WebSocket proxy routes.
  • `lib/webExtension.js` sets `rejectUnauthorized: false` for proxied HTTPS.
  • `main.js` forwards `upgrade <name>` through ioBroker host `cmdExec` after message input validation.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • No child-process import, shell execution, credential harvesting, or AI-agent control-surface write was found.
  • Network behavior is implemented as dashboard calendar/proxy functionality, with no fixed exfiltration endpoint.
  • Bundled frontend `eval`-like hits are library/UI code; no package payload execution chain was established.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 4.06 MB of source, external domains: 192.168.1.x, api.iconify.design, api.simplesvg.com, api.unisvg.com, bit.ly, calendar.google.com, cdn.jsdelivr.net, fb.me, fonts.googleapis.com, github.com, hdering.github.io, leafletjs.com, photon.komoot.io, reactjs.org, redux-toolkit.js.org, redux.js.org, server.arcgisonline.com, smarthjemmet.dk, www.w3.org

Source & flagged code

1 flagged · loading source
www/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?... L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L41: `))}),t.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings