Back
VibeScanner

VibeScanner Demo

Demo Mode

This is a demo page showing sample scan results from an intentionally vulnerable educational application. The data shown here is for demonstration purposes only.

drbarq/todo-app-vibe

mainStarted Loading...
Completed

Understanding Your Security Scan Results

Overview Tab

Quick summary of security issues found in your code using static code analysis tools. Start here to see the most important problems to fix first, understand what types of vulnerabilities exist, and get actionable recommendations.

Security Report Tab

Comprehensive technical report with detailed analysis, remediation steps, and security best practices. Perfect for sharing with your team or for deeper understanding of each vulnerability.

=� Security Tip

Severity levels explained:

  • " Critical/High: Fix these first - they pose immediate security risks
  • " Medium: Important but less urgent security issues
  • " Low: Minor issues and best practice improvements

CWE and OWASP are industry-standard classifications that help you understand the type of vulnerability and find additional resources for learning.

Total Issues

10

Critical

0

High

2

Medium

7

Low

1

Security Analysis Summary

Scan Overview

Next.js 14.0.0 productivity application with intentionally severe security vulnerabilities for educational purposes. Contains multiple critical flaws including RCE, path traversal, IDOR, authentication bypass, and unrestricted file operations.

Key Findings

CRITICAL: Remote Code Execution via /api/admin/execute allows arbitrary system commands. Path traversal vulnerabilities in file operations enable reading/writing any system file. Complete authentication bypass with hardcoded credentials. Unrestricted file upload allows web shell deployment. Admin panel accessible without authorization.

Recommendations

  • DO NOT DEPLOY - This is intentionally vulnerable educational code
  • Remove command execution functionality entirely from /api/admin/execute
  • Implement strict path validation for all file operations
  • Replace hardcoded authentication with proper auth library (NextAuth.js)
  • Add comprehensive input validation and sanitization
  • Implement role-based access control for admin functionality

Security Tools Used

bandit

completed

Python security issues detection

0 findings

semgrep

completed

Static analysis for security patterns and vulnerabilities

8 findings

gitleaks

completed

Secret detection in code and git history

2 findings

AI Security Agent

completed

Autonomous security analysis orchestration

VibeScannerAI Analysis Details

Framework Detected

nextjs

Confidence Score

high

AI-Generated Code Patterns

hardcoded-credentialsno-input-validationconsole-log-secretsdirect-command-executionpath-join-user-inputmissing-auth-middlewareplaintext-passwordsno-rate-limitingexcessive-error-detailsget-request-mutations

Analysis Notes

This is an intentionally vulnerable educational application designed to demonstrate critical security flaws. All vulnerabilities are real and exploitable. The codebase serves as a negative example for security training.

0 false positives filtered out by AI analysis

Security Issues Found

generic-api-key

HIGHGITLEAKS

Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

app/layout.tsx:21(col 20-97)
Vulnerable Code
ow.STRIPE_KEY = "pk_test_51HdSGILEOO4IAOcsPMwxBNgY6L4FNQhlo4kZCXm1a38Kv27qNLp"

Impact

Exposed secrets can lead to unauthorized access and data breaches

Secret Type:generic-api-key
Entropy:5.36

generic-api-key

HIGHGITLEAKS

Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

app/layout.tsx:22(col 20-56)
Vulnerable Code
ow.OPENAI_KEY = "sk-1234567890abcdef"

Impact

Exposed secrets can lead to unauthorized access and data breaches

Secret Type:generic-api-key
Entropy:4.25

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/files/delete/route.ts:27(col 43-51)
Vulnerable Code
      fullPath = path.join(process.cwd(), filePath)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/files/download/route.ts:29(col 43-51)
Vulnerable Code
      fullPath = path.join(process.cwd(), filePath)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/files/route.ts:12(col 48-57)
Vulnerable Code
    const targetDir = path.join(process.cwd(), directory)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/files/route.ts:24(col 38-47)
Vulnerable Code
          const fullPath = path.join(targetDir, entry.name)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/files/route.ts:24(col 49-59)
Vulnerable Code
          const fullPath = path.join(targetDir, entry.name)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/upload/route.ts:26(col 47-57)
Vulnerable Code
    const fullPath = path.join(process.cwd(), uploadPath, fileName)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

MEDIUMSEMGREPLOW CONFIDENCE

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

app/api/upload/route.ts:26(col 59-67)
Vulnerable Code
    const fullPath = path.join(process.cwd(), uploadPath, fileName)

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Category

A05:2017 - Broken Access ControlA01:2021 - Broken Access Control

Impact

MEDIUM

Likelihood

HIGH

Learn More:

OWASP Guide

javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

LOWSEMGREPLOW CONFIDENCE

Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

app/api/auth/user/[id]/route.ts:68(col 15-45)
Vulnerable Code
  console.log(`Updating user ${userId} with:`, updates)

CWE Classification

CWE-134: Use of Externally-Controlled Format String

OWASP Category

A01:2021 - Broken Access Control

Impact

LOW

Likelihood

MEDIUM

Learn More:

CWE Documentation