InfraCanvas Security Audit Uncovers Critical Vulnerabilities: Open Redirects, CSRF Risks, Unpatched Next.js CVE

A security audit of the InfraCanvas repository has identified multiple vulnerabilities requiring immediate developer review. Running the codebase through Debuggix—a nine-engine scanner completing its analysis in 60 seconds—returned findings across two critical files: `pkg/server/server.go` and `frontend/package-lock.json`. The scan flagged configuration weaknesses, missing security flags, and unpatched dependencies that collectively expand the attack surface of the application.

The server implementation contains the most severe issues. WebSocket connections at lines 350 and 473 accept connections from any origin, creating a potential cross-site request forgery vector. More critically, user-supplied input passes directly to the `redirect()` function at line 268 without allowlist validation—an open redirect vulnerability that could enable phishing or credential theft. Session cookies lack the Secure flag at line 256, leaving authentication tokens vulnerable to interception over unencrypted channels. HTTP traffic without TLS persists at line 306 and within metrics collection routines, further exposing transmitted data.

The frontend dependency stack presents additional risk. Next.js runs a version containing CVE-2025-29927, an authorization bypass flaw, alongside eight high-severity and eight medium-severity CVEs catalogued in the project's lockfile. The combination of unpatched frontend dependencies with insecure server-side controls creates compounding exposure—particularly if the authorization bypass allows attackers to reach redirect or WebSocket endpoints. Developers have been notified to implement origin validation, allowlist-based redirects, Secure-flagged cookies, and dependency updates.