AI Security Review
scanned 4h ago · by lpm-firewall-aiA public webhook route processes SNS subscription confirmations before validating its webhook token. An attacker who knows a webhook URL can cause a blind GET request to an attacker-chosen `SubscribeURL`.
Static reason
No blocking static signals were detected.
Trigger
POST a request with `x-amz-sns-message-type: SubscriptionConfirmation` and a `SubscribeURL` to a valid public webhook path.
Impact
May reach internal or otherwise server-accessible HTTP GET endpoints; response content is not returned.
Mechanism
pre-auth arbitrary URL fetch (blind SSRF)
Rationale
The package is a runtime Express backend and shows no install-time mutation, persistence, payload execution, or credential exfiltration. Its pre-auth arbitrary URL fetch is a real security vulnerability, so warn rather than mark clean.
Evidence
package.jsondist/routes/index.jsdist/controllers/webhook.controller.jsdist/models/source.model.jsdist/index.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/routes/index.js` exposes public `POST /webhook/:token`.
- `dist/controllers/webhook.controller.js` fetches `body.SubscribeURL` on an SNS header before token/auth validation.
- The fetch accepts an arbitrary URL and returns only success/failure, creating blind SSRF to server-reachable GET targets.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- `dist/index.js` only exports server/service/router/database APIs; importing it does not start the server.
- No `fs`, `child_process`, `vm`, native-module, or executable artifact imports were found in `dist`.
- Configured outbound integrations target user-supplied observability/notification services; no covert exfiltration path was found.
Behavioral surface
CryptoEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/routes/index.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/routes/index.js` exposes public `POST /webhook/:token`.
dist/routes/index.jsView on unpkgdist/controllers/webhook.controller.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/controllers/webhook.controller.js` fetches `body.SubscribeURL` on an SNS header before token/auth validation.
dist/controllers/webhook.controller.jsView on unpkgFindings
5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/routes/index.js
MediumAi Review Evidencedist/controllers/webhook.controller.js
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License