registry  /  kafecms  /  0.29.3

kafecms@0.29.3

Astro-native CMS with WordPress migration support

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 923 file(s), 6.30 MB of source, external domains: challenges.cloudflare.com, cloudflare-dns.com, cron.kafecms.internal, kafecms.com, marketplace.kafecms.com, schema.org, www.google.com, www.sitemaps.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/cli/index.mjsView file
986const types = await client.schemaTypes(); L987: const { writeFile, mkdir } = await import("node:fs/promises"); L988: const { resolve: resolvePath, dirname } = await import("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.mjsView on unpkg · L986
dist/ssrf-TrKYJAy0.mjsView file
4* L5: * Validates that URLs don't target internal/private network addresses. L6: * Applied before any fetch() call in the import pipeline. L7: */ ... L196: if (hasProperty(raw, "Answer") && Array.isArray(raw.Answer)) { L197: for (const entry of raw.Answer) if (hasProperty(entry, "data") && typeof entry.data === "string") answers.push({ data: entry.data }); L198: } ... L205: * Resolve a hostname via DNS over HTTPS (Cloudflare). Returns all A and AAAA L206: * records. Works in both Workers and Node without requiring node:dns. L207: * ... L224: if (!response.ok) throw new Error(`DoH lookup failed: ${response.status}`); L225: const body = parseDohResponse(await response.json());
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/ssrf-TrKYJAy0.mjsView on unpkg · L4
dist/astro/index.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = kafecms@0.29.4 matchedIdentity = npm:a2FmZWNtcw:0.29.4 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/astro/index.mjsView on unpkg

Findings

2 High4 Medium4 Low
HighCloud Metadata Accessdist/ssrf-TrKYJAy0.mjs
HighPrevious Version Dangerous Deltadist/astro/index.mjs
MediumDynamic Requiredist/cli/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings