Coverage reference

Code Security

The detailed security risks VibeLint checks in AI-generated and project code, organized by vulnerability instead of internal scanner names.

FreeIncluded in every planPro + MaxFull specialized coverage

How to read this page: Free coverage runs on every plan. Pro and Max add specialized access-control, abuse-resistance, AI-security, and dependency checks. The Free static-analysis rules can overlap some paid risk categories, but the paid checks add purpose-built analysis and broader context.

01 / Credentials and secrets

Secret and credential exposure

VibeLint looks for credentials and sensitive values that should never be committed, bundled, logged, or copied with source code.

Free

Generic secret exposure

Hardcoded API keys, API secrets, private keys, access tokens, authentication tokens, JWT secrets, and high-entropy secret strings.
Hardcoded passwords, administrator credentials, bypass credentials, and Basic Auth credentials.
Credentials embedded in PostgreSQL, MySQL, MongoDB, and Redis connection URLs.
Base64 and hexadecimal high-entropy strings that resemble secret material.
Public IP exposure candidates found in sensitive configuration contexts.

Provider and platform credentials

OpenAI and Anthropic API keys.
AWS Access Key IDs, AWS Secret Access Keys, Azure Storage keys, IBM Cloud IAM keys, IBM COS HMAC keys, Cloudant credentials, and SoftLayer credentials.
GitHub, GitLab, npm, PyPI, Artifactory, Mailchimp, SendGrid, Slack, Discord, Telegram, and Twilio tokens.
Stripe keys, Square OAuth credentials, JWT tokens, and private-key material.

Configuration mistakes

Hardcoded fallback values that defeat process.env secret loading.
Hardcoded NEXTAUTH_SECRET and NEXTAUTH_URL configuration.
NEXT_PUBLIC variables hardcoded in source instead of loaded from environment configuration.

02 / Identity and sessions

Authentication and session weaknesses

These checks focus on authentication code that looks functional but weakens password, token, session, or credential security.

Free

Password and identity risks

MD5 or SHA-1 used for password hashing.
Plaintext password comparisons instead of secure password verification.
Hardcoded administrator or authentication bypass credentials.
SQL injection inside authentication queries.

JWT and session risks

JWT signature verification disabled with verify=False.
JWT tokens accepted with the none algorithm.
Authentication tokens stored in localStorage, where an XSS vulnerability can read them.
NextAuth debug mode enabled with potential production information leakage.

Credential transport

Passwords, access tokens, API keys, secrets, or authentication values placed in URL query parameters.

03 / Untrusted input

Injection, browser, and execution risks

VibeLint checks whether untrusted input is composed into database operations, browser rendering, operating-system commands, or dynamic code execution.

Free

SQL injection

SQL queries built with Python f-strings.
SQL queries built with .format() or percent string formatting.
SQL statements assembled through string concatenation.
SQL queries built with JavaScript or TypeScript template-literal interpolation.

NoSQL injection

Raw request bodies, query strings, form data, or route parameters passed directly into MongoDB operations.
Parsed JSON used directly as a MongoDB query or filter.
MongoDB $where server-side JavaScript injection.
User-controlled $ne, $gt, $gte, $lt, $lte, $in, $nin, $regex, $exists, $not, $or, $and, $nor, $elemMatch, $text, and $search operators.
NoSQL injection into find, findOne, aggregate, insert, update, delete, replace, count, and distinct operations.

Browser and object injection

DOM XSS through dynamic innerHTML or outerHTML assignments.
XSS through dynamic document.write() calls.
React dangerouslySetInnerHTML used without sanitization.
Arbitrary JavaScript execution through dynamic eval().
Prototype pollution through user-controlled object property keys.

System and file access

Operating-system command injection through os.system().
Shell injection through subprocess calls with shell=True.
Path traversal through dynamic or user-controlled file paths passed to open().

04 / Application boundaries

CORS and framework misconfiguration

Configuration written for a quick local demo can create serious exposure when it reaches a shared, staging, or production environment.

Free

Cross-origin access

Wildcard or allow-all CORS policies in Express, FastAPI, Django, Spring Boot, Go, and ASP.NET.
Wildcard Access-Control-Allow-Origin headers created manually in application code.
Cross-origin data exposure caused by allowing untrusted websites to access API responses.

Django configuration

Django DEBUG=True exposing stack traces and application internals.
Wildcard ALLOWED_HOSTS settings that enable host-header abuse.
CSRF cookies allowed over non-HTTPS transport.
Session cookies allowed over non-HTTPS transport.

Flask configuration

Flask debugger and interactive traceback enabled.
Flask application debug mode enabled in production-like configuration.

05 / Protected operations

Missing authentication and authorization

VibeLint checks API routes for evidence that callers are authenticated and that sensitive actions have an explicit role, permission, or scope decision.

Pro + Max

Missing authentication

API endpoints that expose data or actions without an authentication guard.
Unprotected Flask, FastAPI, Django REST, Express, Koa, Hono, Next.js App Router, Spring Boot, and Go HTTP routes.

Missing authorization

Authenticated sensitive routes with no authorization, role, permission, scope, RBAC, or ABAC check.
Missing authorization on admin, role, permission, grant, revoke, billing, payment, invoice, refund, secret, API-key, and internal routes.

06 / Abuse resistance

Missing or ineffective rate limiting

Sensitive and write-heavy endpoints need meaningful request limits to resist brute force, automation abuse, and resource exhaustion.

Pro + Max

Routes without protection

Missing rate limiting on login, sign-in, sign-up, registration, authentication, token, refresh, reset-password, forgot-password, OTP, MFA, verification, and session endpoints.
Missing rate limiting on API write operations such as POST, PUT, PATCH, and DELETE.
Brute-force, credential-stuffing, API-abuse, resource-exhaustion, and denial-of-service exposure.

Weak or disabled limits

No-op limits such as max: 0, limit: 0, null, None, or Infinity.
Rate-limit windows configured as windowMs: 0.
Zero Django, Flask, or FastAPI throttle rates.
Spring limit or replenishment values set to zero.
Go rate limiters configured with rate.Inf.

07 / AI-native threats

Prompt injection and unsafe model execution

AI inputs and outputs are untrusted data. VibeLint follows risky input into model calls and looks for model output that reaches execution-capable functions.

Pro + Max

Direct prompt injection

Unsanitized HTTP requests, forms, query parameters, route parameters, command-line input, or stdin passed into an AI call.
Unsanitized function parameters that reach an AI API.
Prompt injection flowing through helper functions and multiple variable assignments.

Indirect and obfuscated prompt injection

Untrusted content from websites, API responses, databases, files, browser storage, or DOM content passed into an AI call.
Instruction overrides, persona replacement, developer-mode or DAN-mode language, hidden-directive requests, memory-clearing requests, and restriction-removal language embedded in prompt content.
Base64, ROT13, Unicode escape, and browser atob() prompt obfuscation near an AI call.

MCP and agent escalation

MCP tool arguments controlled by an AI model reaching eval, exec, shell commands, subprocesses, or file access without strict validation.
AI-controlled tool values used without an allowlist or schema validation.

Unsafe LLM output execution

LLM output passed into Python eval(), exec(), subprocess, or os.system().
LLM output passed into JavaScript eval(), new Function, child_process.exec, or child_process.spawn.
Model-generated commands or code executed without an allowlist, strict schema, validation, or sandbox.

08 / Expanded language coverage

Additional static-analysis risks

The Free tier also runs a broad security-audit ruleset. These findings extend coverage across supported languages and may overlap with some specialized checks.

Free

C, containers, HTML, and Nginx

C and C++ buffer overflows, unsafe string functions, format-string attacks, double-free, use-after-free, and file-descriptor exhaustion.
Docker containers left running as the root user.
HTML attribute injection, unsafe dynamic links, script-tag injection, and template XSS.
Nginx dynamic-proxy SSRF, header injection, header redefinition, open redirects, weak or missing TLS policy, missing internal-route protection, and alias path traversal.

Go

Insecure gRPC, TLS, and SSH configuration; hardcoded JWT keys; weak randomness; and DES, MD5, RC4, or SHA-1 use.
SQL injection, unsafe binding to all interfaces, debug endpoint exposure, HTTP template injection, and context-specific XSS.
Unsafe memory operations, insecure temporary files, decompression bombs, Zip Slip, and dangerous embedded JavaScript execution.

Java and JVM frameworks

Command, SQL, LDAP, EL, SpEL, XPath, script-engine, CRLF, log, and HTTP response-splitting injection.
Unsafe object, XMLDecoder, XXE, and RMI deserialization.
Path traversal, open redirects, URL rewriting, permissive CORS, disabled CSRF, unrestricted request mappings, and excessive file permissions.
Weak randomness, weak hashes, DES or 3DES, null ciphers, static initialization vectors, RSA without padding, insecure trust managers, insecure hostname verification, and unencrypted sockets.
Missing Secure or HttpOnly cookie flags and direct response-writer XSS.

JavaScript, TypeScript, and React

Hardcoded JWT secrets, JWT none-algorithm acceptance, dynamic eval, child-process execution, and unsafe buffer operations.
Disabled template escaping, CSRF ordering problems, weak pseudo-random values, unsafe git clone execution, and open redirects.
XXE through expat, SAX, or XML conversion libraries and unknown values inserted into script tags.
React requests over insecure transport, raw HTML rendered through Markdown, and dangerouslySetInnerHTML.

Python, Django, and Flask

Command injection, dynamic URL and request risk, SQLAlchemy injection, unsafe subprocess execution, and binding services to all interfaces.
Unsafe YAML, pickle, cPickle, dill, shelve, marshal, multiprocessing, XML, and XML-RPC deserialization or parsing.
Weak ciphers, ECB mode, weak hashes, undersized elliptic-curve keys, unverified TLS, insecure SSH host trust, Telnet, and authentication over HTTP.
Django CSRF exemptions, mass assignment, raw or custom SQL, unsafe templates, XSS, command injection, path traversal, and unsafe password defaults.
Flask debug exposure, hardcoded configuration or secrets, server-side template injection, disabled CSRF, insecure cookies, XSS, open redirects, unsafe deserialization, and unsafe file serving.

Ruby and infrastructure

Ruby unsafe deserialization, mass assignment, missing CSRF protection, disabled SSL verification, file disclosure, unsafe send or eval, weak hashes, hardcoded HTTP authentication, and skipped security filters.
Terraform public EKS endpoints, public read-write S3 buckets, and wildcard S3 CORS.
Public AWS S3 policy statements.

09 / Software supply chain

Known vulnerable dependencies

VibeLint checks pinned dependencies against current vulnerability advisories and retains offline fallback coverage for important known issues.

Pro + Max

Supported package ecosystems

Python packages declared in requirements files, Pipfile, and pyproject.toml.
npm packages declared in package.json and package-lock.json.
Go modules, Ruby gems, Rust crates, PHP Composer packages, Maven and Gradle packages, and NuGet packages.

Dependency risk classes

Remote code execution, command injection, unsafe deserialization, and sandbox escape vulnerabilities.
Server-side request forgery, open redirects, cache poisoning, and improper URI handling.
Prototype pollution, regular-expression denial of service, decompression or parser denial of service, and memory-safety defects.
Path traversal, authentication bypass, XSS, XML parser vulnerabilities, and credential, token, cookie, or header leakage.

Representative built-in fallback coverage

Log4Shell remote code execution and Apache Struts upload path traversal.
PyYAML and SnakeYAML arbitrary code execution.
lodash command injection and minimist prototype pollution.
Axios SSRF and Next.js cache-poisoning or SSRF vulnerabilities.
Vulnerable Django, Flask, Rails, Laravel, Tokio, OpenSSL, cryptography, and .NET package versions.
Npgsql authentication bypass and vulnerable JWT verification libraries.

Findings still require review

A finding identifies a risky pattern or a missing security control. It does not automatically prove that the code is exploitable. Review the surrounding code, confirm the data flow and runtime configuration, then apply or adapt the suggested fix.

VibeLint Docs

Dashboard

All documentation

Coverage reference

Code Security

The detailed security risks VibeLint checks in AI-generated and project code, organized by vulnerability instead of internal scanner names.

FreeIncluded in every planPro + MaxFull specialized coverage

01 / Credentials and secrets

Secret and credential exposure

VibeLint looks for credentials and sensitive values that should never be committed, bundled, logged, or copied with source code.

Free

Generic secret exposure

Hardcoded API keys, API secrets, private keys, access tokens, authentication tokens, JWT secrets, and high-entropy secret strings.
Hardcoded passwords, administrator credentials, bypass credentials, and Basic Auth credentials.
Credentials embedded in PostgreSQL, MySQL, MongoDB, and Redis connection URLs.
Base64 and hexadecimal high-entropy strings that resemble secret material.
Public IP exposure candidates found in sensitive configuration contexts.

Provider and platform credentials

OpenAI and Anthropic API keys.
AWS Access Key IDs, AWS Secret Access Keys, Azure Storage keys, IBM Cloud IAM keys, IBM COS HMAC keys, Cloudant credentials, and SoftLayer credentials.
GitHub, GitLab, npm, PyPI, Artifactory, Mailchimp, SendGrid, Slack, Discord, Telegram, and Twilio tokens.
Stripe keys, Square OAuth credentials, JWT tokens, and private-key material.

Configuration mistakes

Hardcoded fallback values that defeat process.env secret loading.
Hardcoded NEXTAUTH_SECRET and NEXTAUTH_URL configuration.
NEXT_PUBLIC variables hardcoded in source instead of loaded from environment configuration.

02 / Identity and sessions

Authentication and session weaknesses

These checks focus on authentication code that looks functional but weakens password, token, session, or credential security.

Free

Password and identity risks

MD5 or SHA-1 used for password hashing.
Plaintext password comparisons instead of secure password verification.
Hardcoded administrator or authentication bypass credentials.
SQL injection inside authentication queries.

JWT and session risks

JWT signature verification disabled with verify=False.
JWT tokens accepted with the none algorithm.
Authentication tokens stored in localStorage, where an XSS vulnerability can read them.
NextAuth debug mode enabled with potential production information leakage.

Credential transport

Passwords, access tokens, API keys, secrets, or authentication values placed in URL query parameters.

03 / Untrusted input

Injection, browser, and execution risks

VibeLint checks whether untrusted input is composed into database operations, browser rendering, operating-system commands, or dynamic code execution.

Free

SQL injection

SQL queries built with Python f-strings.
SQL queries built with .format() or percent string formatting.
SQL statements assembled through string concatenation.
SQL queries built with JavaScript or TypeScript template-literal interpolation.

NoSQL injection

Raw request bodies, query strings, form data, or route parameters passed directly into MongoDB operations.
Parsed JSON used directly as a MongoDB query or filter.
MongoDB $where server-side JavaScript injection.
User-controlled $ne, $gt, $gte, $lt, $lte, $in, $nin, $regex, $exists, $not, $or, $and, $nor, $elemMatch, $text, and $search operators.
NoSQL injection into find, findOne, aggregate, insert, update, delete, replace, count, and distinct operations.

Browser and object injection

DOM XSS through dynamic innerHTML or outerHTML assignments.
XSS through dynamic document.write() calls.
React dangerouslySetInnerHTML used without sanitization.
Arbitrary JavaScript execution through dynamic eval().
Prototype pollution through user-controlled object property keys.

System and file access

Operating-system command injection through os.system().
Shell injection through subprocess calls with shell=True.
Path traversal through dynamic or user-controlled file paths passed to open().

04 / Application boundaries

CORS and framework misconfiguration

Configuration written for a quick local demo can create serious exposure when it reaches a shared, staging, or production environment.

Free

Cross-origin access

Wildcard or allow-all CORS policies in Express, FastAPI, Django, Spring Boot, Go, and ASP.NET.
Wildcard Access-Control-Allow-Origin headers created manually in application code.
Cross-origin data exposure caused by allowing untrusted websites to access API responses.

Django configuration

Django DEBUG=True exposing stack traces and application internals.
Wildcard ALLOWED_HOSTS settings that enable host-header abuse.
CSRF cookies allowed over non-HTTPS transport.
Session cookies allowed over non-HTTPS transport.

Flask configuration

Flask debugger and interactive traceback enabled.
Flask application debug mode enabled in production-like configuration.

05 / Protected operations

Missing authentication and authorization

VibeLint checks API routes for evidence that callers are authenticated and that sensitive actions have an explicit role, permission, or scope decision.

Pro + Max

Missing authentication

API endpoints that expose data or actions without an authentication guard.
Unprotected Flask, FastAPI, Django REST, Express, Koa, Hono, Next.js App Router, Spring Boot, and Go HTTP routes.

Missing authorization

Authenticated sensitive routes with no authorization, role, permission, scope, RBAC, or ABAC check.
Missing authorization on admin, role, permission, grant, revoke, billing, payment, invoice, refund, secret, API-key, and internal routes.

06 / Abuse resistance

Missing or ineffective rate limiting

Sensitive and write-heavy endpoints need meaningful request limits to resist brute force, automation abuse, and resource exhaustion.

Pro + Max

Routes without protection

Missing rate limiting on login, sign-in, sign-up, registration, authentication, token, refresh, reset-password, forgot-password, OTP, MFA, verification, and session endpoints.
Missing rate limiting on API write operations such as POST, PUT, PATCH, and DELETE.
Brute-force, credential-stuffing, API-abuse, resource-exhaustion, and denial-of-service exposure.

Weak or disabled limits

No-op limits such as max: 0, limit: 0, null, None, or Infinity.
Rate-limit windows configured as windowMs: 0.
Zero Django, Flask, or FastAPI throttle rates.
Spring limit or replenishment values set to zero.
Go rate limiters configured with rate.Inf.

07 / AI-native threats

Prompt injection and unsafe model execution

AI inputs and outputs are untrusted data. VibeLint follows risky input into model calls and looks for model output that reaches execution-capable functions.

Pro + Max

Direct prompt injection

Unsanitized HTTP requests, forms, query parameters, route parameters, command-line input, or stdin passed into an AI call.
Unsanitized function parameters that reach an AI API.
Prompt injection flowing through helper functions and multiple variable assignments.

Indirect and obfuscated prompt injection

Untrusted content from websites, API responses, databases, files, browser storage, or DOM content passed into an AI call.
Instruction overrides, persona replacement, developer-mode or DAN-mode language, hidden-directive requests, memory-clearing requests, and restriction-removal language embedded in prompt content.
Base64, ROT13, Unicode escape, and browser atob() prompt obfuscation near an AI call.

MCP and agent escalation

MCP tool arguments controlled by an AI model reaching eval, exec, shell commands, subprocesses, or file access without strict validation.
AI-controlled tool values used without an allowlist or schema validation.

Unsafe LLM output execution

LLM output passed into Python eval(), exec(), subprocess, or os.system().
LLM output passed into JavaScript eval(), new Function, child_process.exec, or child_process.spawn.
Model-generated commands or code executed without an allowlist, strict schema, validation, or sandbox.

08 / Expanded language coverage

Additional static-analysis risks

The Free tier also runs a broad security-audit ruleset. These findings extend coverage across supported languages and may overlap with some specialized checks.

Free

C, containers, HTML, and Nginx

C and C++ buffer overflows, unsafe string functions, format-string attacks, double-free, use-after-free, and file-descriptor exhaustion.
Docker containers left running as the root user.
HTML attribute injection, unsafe dynamic links, script-tag injection, and template XSS.
Nginx dynamic-proxy SSRF, header injection, header redefinition, open redirects, weak or missing TLS policy, missing internal-route protection, and alias path traversal.

Go

Insecure gRPC, TLS, and SSH configuration; hardcoded JWT keys; weak randomness; and DES, MD5, RC4, or SHA-1 use.
SQL injection, unsafe binding to all interfaces, debug endpoint exposure, HTTP template injection, and context-specific XSS.
Unsafe memory operations, insecure temporary files, decompression bombs, Zip Slip, and dangerous embedded JavaScript execution.

Java and JVM frameworks

Command, SQL, LDAP, EL, SpEL, XPath, script-engine, CRLF, log, and HTTP response-splitting injection.
Unsafe object, XMLDecoder, XXE, and RMI deserialization.
Path traversal, open redirects, URL rewriting, permissive CORS, disabled CSRF, unrestricted request mappings, and excessive file permissions.
Weak randomness, weak hashes, DES or 3DES, null ciphers, static initialization vectors, RSA without padding, insecure trust managers, insecure hostname verification, and unencrypted sockets.
Missing Secure or HttpOnly cookie flags and direct response-writer XSS.

JavaScript, TypeScript, and React

Hardcoded JWT secrets, JWT none-algorithm acceptance, dynamic eval, child-process execution, and unsafe buffer operations.
Disabled template escaping, CSRF ordering problems, weak pseudo-random values, unsafe git clone execution, and open redirects.
XXE through expat, SAX, or XML conversion libraries and unknown values inserted into script tags.
React requests over insecure transport, raw HTML rendered through Markdown, and dangerouslySetInnerHTML.

Python, Django, and Flask

Command injection, dynamic URL and request risk, SQLAlchemy injection, unsafe subprocess execution, and binding services to all interfaces.
Unsafe YAML, pickle, cPickle, dill, shelve, marshal, multiprocessing, XML, and XML-RPC deserialization or parsing.
Weak ciphers, ECB mode, weak hashes, undersized elliptic-curve keys, unverified TLS, insecure SSH host trust, Telnet, and authentication over HTTP.
Django CSRF exemptions, mass assignment, raw or custom SQL, unsafe templates, XSS, command injection, path traversal, and unsafe password defaults.
Flask debug exposure, hardcoded configuration or secrets, server-side template injection, disabled CSRF, insecure cookies, XSS, open redirects, unsafe deserialization, and unsafe file serving.

Ruby and infrastructure

Ruby unsafe deserialization, mass assignment, missing CSRF protection, disabled SSL verification, file disclosure, unsafe send or eval, weak hashes, hardcoded HTTP authentication, and skipped security filters.
Terraform public EKS endpoints, public read-write S3 buckets, and wildcard S3 CORS.
Public AWS S3 policy statements.

09 / Software supply chain

Known vulnerable dependencies

VibeLint checks pinned dependencies against current vulnerability advisories and retains offline fallback coverage for important known issues.

Pro + Max

Supported package ecosystems

Python packages declared in requirements files, Pipfile, and pyproject.toml.
npm packages declared in package.json and package-lock.json.
Go modules, Ruby gems, Rust crates, PHP Composer packages, Maven and Gradle packages, and NuGet packages.

Dependency risk classes

Remote code execution, command injection, unsafe deserialization, and sandbox escape vulnerabilities.
Server-side request forgery, open redirects, cache poisoning, and improper URI handling.
Prototype pollution, regular-expression denial of service, decompression or parser denial of service, and memory-safety defects.
Path traversal, authentication bypass, XSS, XML parser vulnerabilities, and credential, token, cookie, or header leakage.

Representative built-in fallback coverage

Log4Shell remote code execution and Apache Struts upload path traversal.
PyYAML and SnakeYAML arbitrary code execution.
lodash command injection and minimist prototype pollution.
Axios SSRF and Next.js cache-poisoning or SSRF vulnerabilities.
Vulnerable Django, Flask, Rails, Laravel, Tokio, OpenSSL, cryptography, and .NET package versions.
Npgsql authentication bypass and vulnerable JWT verification libraries.