nextjs-developer
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The file upload implementation in
references/server-actions.mdis vulnerable to path traversal. TheuploadAvatarfunction uses thefile.nameproperty directly within apath.join()call without validation, allowing an attacker to specify a path like../../.envto overwrite critical system or configuration files.- [CREDENTIALS_UNSAFE]: Thedocker-compose.ymlconfiguration template inreferences/deployment.mdincludes hardcoded default credentials (POSTGRES_PASSWORD=postgres). Providing these defaults in a deployment context without explicit warnings to change them creates a risk of insecure deployments.- [DATA_EXFILTRATION]: Inreferences/server-actions.md, a vulnerability surface exists where untrusted data influences file system operations. 1. Ingestion points:file.namefromformData.get('avatar'). 2. Boundary markers: Absent for filename processing. 3. Capability inventory:writeFileinreferences/server-actions.md. 4. Sanitization: Absent, directly interpolating user-controlled strings into file paths.
Audit Metadata