Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/993155?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/993155?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.66.0", "type": "npm", "namespace": "@grackle-ai", "name": "server", "version": "0.66.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.70.6", "latest_non_vulnerable_version": "0.70.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91555?format=api", "vulnerability_id": "VCID-9yjv-1t49-cydh", "summary": "@grackle-ai/server has a Missing Secure Flag on Session Cookie\n### Impact\n\nThe session cookie is set with `HttpOnly; SameSite=Lax; Path=/` but does not include the `Secure` flag. This means the cookie will be sent over plain HTTP connections.\n\nSince the server binds to `127.0.0.1` by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when `--allow-network` is used to bind to `0.0.0.0`, cookies could be transmitted over insecure network connections and intercepted by an attacker.\n\n**Affected code:**\n- `packages/server/src/session.ts:76` — cookie string lacks `; Secure` attribute\n\n### Patches\n\n0.70.5\n\n**Fix:** Conditionally add `; Secure` when served over HTTPS or when `--allow-network` is enabled:\n```typescript\nconst securePart = isHttps ? \"; Secure\" : \"\";\nreturn `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;\n```\n\n### Workarounds\n\nDo not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy.\n\n### Resources\n\n- OWASP: Secure Cookie Attribute\n- File: `packages/server/src/session.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4" }, { "reference_url": "https://github.com/advisories/GHSA-5j35-xr4g-vwf4", "reference_id": "GHSA-5j35-xr4g-vwf4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5j35-xr4g-vwf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113819?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.70.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s9ae-48e7-bygv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.70.5" } ], "aliases": [ "GHSA-5j35-xr4g-vwf4" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9yjv-1t49-cydh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90954?format=api", "vulnerability_id": "VCID-adgp-y22y-jbc4", "summary": "@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template\n### Impact\n\nThe `renderPairingPage()` function embeds the `error` parameter directly into HTML without escaping:\n```typescript\nconst errorHtml = error ? `<p style=\"color:#e74c3c\">${error}</p>` : \"\";\n```\n\nAll current call sites pass hardcoded strings, so this is **not exploitable today**. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.\n\nThe `renderAuthorizePage()` function in the same file correctly uses `escapeHtml()` for dynamic content, making this an inconsistency.\n\n**Affected code:**\n- `packages/server/src/index.ts:64-89` — `renderPairingPage()` with unescaped error interpolation\n- Compare: `packages/server/src/index.ts:130` — `renderAuthorizePage()` correctly uses `escapeHtml()`\n\n### Patches\n\nv0.70.1\n\n**Fix:** Apply `escapeHtml()` to the error parameter:\n```typescript\nconst errorHtml = error ? `<p style=\"color:#e74c3c\">${escapeHtml(error)}</p>` : \"\";\n```\n\n### Workarounds\n\nNo workaround needed — all current callers pass hardcoded strings.\n\n### Resources\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation\n- File: `packages/server/src/index.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-7q9x-8g6p-3x75", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-7q9x-8g6p-3x75" }, { "reference_url": "https://github.com/advisories/GHSA-7q9x-8g6p-3x75", "reference_id": "GHSA-7q9x-8g6p-3x75", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7q9x-8g6p-3x75" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112921?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.70.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yjv-1t49-cydh" }, { "vulnerability": "VCID-s7cs-pk2v-jugv" }, { "vulnerability": "VCID-s9ae-48e7-bygv" }, { "vulnerability": "VCID-zkrd-1bp4-pffc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.70.1" } ], "aliases": [ "GHSA-7q9x-8g6p-3x75" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-adgp-y22y-jbc4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90914?format=api", "vulnerability_id": "VCID-s7cs-pk2v-jugv", "summary": "@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers\n### Impact\n\nThe HTTP server does not set `Content-Security-Policy`, `X-Frame-Options`, or `X-Content-Type-Options` headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.\n\nWhile the current XSS attack surface is small (React-markdown is configured safely, no `dangerouslySetInnerHTML`, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.\n\n**Affected code:**\n- `packages/server/src/index.ts` — all `res.writeHead()` calls only set `Content-Type`, with no security headers\n\n### Patches\n\n0.70.4\n\n**Fix:** Add security headers to all HTML/API responses:\n```typescript\nres.writeHead(200, {\n \"Content-Type\": contentType,\n \"Content-Security-Policy\": \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:\",\n \"X-Frame-Options\": \"DENY\",\n \"X-Content-Type-Options\": \"nosniff\"\n});\n```\n\n### Workarounds\n\nUse a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.\n\n### References\n\n- CWE-693: Protection Mechanism Failure\n- OWASP: HTTP Security Response Headers\n- File: `packages/server/src/index.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-3mjm-x6gw-2x42", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-3mjm-x6gw-2x42" }, { "reference_url": "https://github.com/advisories/GHSA-3mjm-x6gw-2x42", "reference_id": "GHSA-3mjm-x6gw-2x42", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3mjm-x6gw-2x42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112856?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.70.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yjv-1t49-cydh" }, { "vulnerability": "VCID-s9ae-48e7-bygv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.70.4" } ], "aliases": [ "GHSA-3mjm-x6gw-2x42" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s7cs-pk2v-jugv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91699?format=api", "vulnerability_id": "VCID-s9ae-48e7-bygv", "summary": "@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling\n### Impact\n\n`JSON.parse(env.adapterConfig)` is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.\n\nAdditionally, the parsed result is cast as `Record<string, unknown>` and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.\n\n**Affected code:**\n- `packages/server/src/grpc-service.ts:415` — `reconnectOrProvision` handler\n- `packages/server/src/grpc-service.ts:482` — `stopEnvironment` handler\n- `packages/server/src/grpc-service.ts:498` — `destroyEnvironment` handler\n\n### Patches\n\n**Fix:** Wrap in try-catch and return a meaningful gRPC error:\n```typescript\nlet config: Record<string, unknown>;\ntry {\n config = JSON.parse(env.adapterConfig) as Record<string, unknown>;\n} catch {\n throw new ConnectError(\"Invalid adapter configuration\", Code.Internal);\n}\n```\n\n### Workarounds\n\nEnsure database integrity. Back up the SQLite database regularly.\n\n### Resources\n\n- CWE-754: Improper Check for Unusual or Exceptional Conditions\n- File: `packages/server/src/grpc-service.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-8g29-8xwr-qmhr", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-8g29-8xwr-qmhr" }, { "reference_url": "https://github.com/advisories/GHSA-8g29-8xwr-qmhr", "reference_id": "GHSA-8g29-8xwr-qmhr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8g29-8xwr-qmhr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113991?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.70.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.70.6" } ], "aliases": [ "GHSA-8g29-8xwr-qmhr" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s9ae-48e7-bygv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91100?format=api", "vulnerability_id": "VCID-zkrd-1bp4-pffc", "summary": "@grackle-ai/server has Missing WebSocket Origin Header Validation\n### Impact\n\nThe WebSocket upgrade handler in the server validates authentication (API key token or session cookie) but does not check the `Origin` header. A malicious webpage on a different origin could initiate a WebSocket connection to `ws://localhost:3000/ws` if it can leverage the user's session cookie (which is `SameSite=Lax`, allowing top-level navigations).\n\nThis enables **cross-origin WebSocket hijacking** — if a user visits a malicious site while a Grackle session is active, the attacker's page could open a WebSocket and subscribe to real-time events (session output, task updates, environment state).\n\n**Affected code:**\n- `packages/server/src/ws-bridge.ts:80-91` — connection handler accepts WebSocket upgrades without checking `req.headers.origin`\n\n### Patches\n\n**Fix:** Validate `req.headers.origin` against an allowlist before accepting connections:\n```typescript\nconst origin = req.headers.origin || \"\";\nif (origin && !origin.includes(\"localhost\") && !origin.includes(\"127.0.0.1\")) {\n ws.close(4003, \"Invalid origin\");\n return;\n}\n```\n\n### Workarounds\n\nEnsure the Grackle server is only accessible on `127.0.0.1` (the default). Do not use `--allow-network` in untrusted network environments.\n\n### Resources\n\n- CWE-346: Origin Validation Error\n- File: `packages/server/src/ws-bridge.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-w3hv-x4fp-6h6j", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-w3hv-x4fp-6h6j" }, { "reference_url": "https://github.com/advisories/GHSA-w3hv-x4fp-6h6j", "reference_id": "GHSA-w3hv-x4fp-6h6j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w3hv-x4fp-6h6j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113121?format=api", "purl": "pkg:npm/%40grackle-ai/server@0.70.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9yjv-1t49-cydh" }, { "vulnerability": "VCID-s7cs-pk2v-jugv" }, { "vulnerability": "VCID-s9ae-48e7-bygv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.70.3" } ], "aliases": [ "GHSA-w3hv-x4fp-6h6j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zkrd-1bp4-pffc" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/server@0.66.0" }