[PM-25012] Cipher Versioning - Extract Data Types

[nikwithak]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-25012

Dependent on changes from SDK in this PR:
bitwarden/sdk-internal#433

📔 Objective

Properly consumes the calls to migrate the ciphers, using the SDK changes in
bitwarden/sdk-internal#433

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 02334678-0314-4512-b62c-735544bee9c5

New Issues (81)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-40643	Npm-htmlparser2-3.10.1	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW ID: VibJsavLC2y6KiG9eHbPuRzS9FefenHGt8nGAgAa%2BeY%3D Vulnerable Package
	CVE-2025-7783	Npm-form-data-3.0.3	details Recommended version: 3.0.4 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH ID: hVEKe36bEPoeeSLAn1L57x8OhzqiUS%2F0q6q%2FkEwsyPE%3D Vulnerable Package
	CVE-2025-7783	Npm-axios-1.10.0	details Recommended version: 1.11.0 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH ID: LmkZ%2FQoDjL5gSotSkEnco%2FIuqL1myZuTP%2B25Sceq0qs%3D Vulnerable Package
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 307	details Method Lambda at line 307 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: wkT684sJjHDUrkTqMHTnzNnY8Bo%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 339	details Method Lambda at line 339 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: hxYW%2FdbbGWn%2FqFxbebSAl24l7KQ%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 307	details Method Lambda at line 307 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: 7Rw8C9MY8FMIv0QDqaZPnYT5RAI%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 339	details Method Lambda at line 339 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: W4qGy6LGLflZWfZXPtGwYUbMcG4%3D Attack Vector
	CVE-2025-47935	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". In versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory le... Attack Vector: NETWORK Attack Complexity: LOW ID: 3YmPXx%2Bt%2FS1bi12TxvsosUG%2FsFnpwHOEcxEhkSkYVhs%3D Vulnerable Package
	CVE-2025-47944	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability that is present in versions 1.0.0 through 1.4.5-lts.2, and 2.0.0... Attack Vector: NETWORK Attack Complexity: LOW ID: 8TcDMYyGXZq56bHMUlbkTgKIfJFQ9RsD0xIwsKZ1z%2FM%3D Vulnerable Package
	CVE-2025-48997	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability allows an attacker to trigger a Denial of Service (DoS) by sendi... Attack Vector: NETWORK Attack Complexity: LOW ID: 9qaFc%2Bmdv0bm9%2B%2F1dq95LaTmah%2F4EGs0ykfLVQBMOPk%3D Vulnerable Package
	CVE-2025-5068	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Blink in Google Chrome versions prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a cra... Attack Vector: NETWORK Attack Complexity: LOW ID: 3%2BWODmopVRRyeCHG7AC6AYX7y7rBd%2BMgU%2FNt66vdgEg%3D Vulnerable Package
	CVE-2025-5280	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Out-of-bounds Write in V8 in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: HTwtNluZMR4S3MS66B%2BQhZoi0CBeaTSZFPUeuxC0pmU%3D Vulnerable Package
	CVE-2025-5419	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Out-of-bounds Read and Write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a c... Attack Vector: NETWORK Attack Complexity: LOW ID: uUa6fTwPke1ZvGKUz3xgoCANuF1J4N6kpCHquKMkOJ4%3D Vulnerable Package
	CVE-2025-5958	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: teMdGuyj838%2BOoj2%2BQ2DvBNhqPWtLPgf2WLF2DCYApk%3D Vulnerable Package
	CVE-2025-5959	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: pgmr2vZ01WA1lPxd2JrfRFfz3YA2L2cwPwc54Rensyw%3D Vulnerable Package
	CVE-2025-6191	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Integer Overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out-of-bounds memory access via a ... Attack Vector: NETWORK Attack Complexity: LOW ID: 6R27eJw6wgBkuv693PO4UHS61BOchkadC2cb%2Fw84vIo%3D Vulnerable Package
	CVE-2025-6192	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Metrics in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially exploit heap corruption via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW ID: Th3gP298LI3%2FVbGG7AyGzDML%2FyMrAlKSLc5nmFucSqY%3D Vulnerable Package
	CVE-2025-6558	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perfo... Attack Vector: NETWORK Attack Complexity: LOW ID: 7b3jYqsw2EmKNbOPh7473qsqA7ZXmJ0szqHLQpgHOXI%3D Vulnerable Package
	CVE-2025-7338	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling `multipart/form-data`. A vulnerability that is present in versions 1.4.4-lts.1, 1.4.5-lts.1 through 1.4... Attack Vector: NETWORK Attack Complexity: LOW ID: pPzhvyHvLrXW51674FmVIuIoTnXnd%2B5PjYfulIjL8Ak%3D Vulnerable Package
	CVE-2025-7656	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: An Integer Overflow vulnerability in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption v... Attack Vector: NETWORK Attack Complexity: LOW ID: jgRjglCjSPiFwvRAktGMub1hTbabiOSP2VsK7vgOyXg%3D Vulnerable Package
	CVE-2025-7657	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in WebRTC in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: h65hpw4%2B5RBH8%2F2WQ2Li7aidRTvjYD%2Fh20Lkue9oTl0%3D Vulnerable Package
	CVE-2025-8010	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML p... Attack Vector: NETWORK Attack Complexity: LOW ID: mnN63r6ebkzbEQJg06H5tBzqm0hJqGJNyBWqh%2BaiP6M%3D Vulnerable Package
	CVE-2025-8011	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML p... Attack Vector: NETWORK Attack Complexity: LOW ID: uARKvUZ9Ml4GnNgIWhi4brRPwB7rQBxuq%2FMKHx6hiYE%3D Vulnerable Package
	CVE-2025-8292	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Media Stream in Google Chrome prior to 138.0.7204.183 allowed a remote attacker to potentially exploit heap corruption via a craf... Attack Vector: NETWORK Attack Complexity: LOW ID: CRUI0EbOim%2BbsIh16%2Bgvpr%2BPUMRRFzFxfFx5UNP5iUo%3D Vulnerable Package
	CVE-2025-8576	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a crafted... Attack Vector: NETWORK Attack Complexity: LOW ID: ZhNmKpToPUcZK3yzPibFw5RwBvRzaez9AFdW1pO%2Bfas%3D Vulnerable Package
	CVE-2025-8578	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Cast in Google Chrome versions prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a craf... Attack Vector: NETWORK Attack Complexity: LOW ID: thJAsnEpZvcYVGl1Or2nowK2FycvC4WPaTK%2FvEVxSws%3D Vulnerable Package
	CVE-2025-8879	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Heap buffer overflow in libaom in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to potentially exploit heap corruption via a cura... Attack Vector: NETWORK Attack Complexity: LOW ID: tE8IHtsZKQfBORlVYro8znNZsZgTxOsm6Wfe5Gd%2BFi0%3D Vulnerable Package
	CVE-2025-8880	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Race in V8 in Google Chrome through 139.0.7258.126 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW ID: rjz4iiPDcn0rxRfQByzI5e5TME2IRmzkndD2%2FopPOLc%3D Vulnerable Package
	CVE-2025-8882	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to... Attack Vector: NETWORK Attack Complexity: LOW ID: sebDXkmNunoSyRrhR05W8UQqOnz7PyvBwJAFiZboDos%3D Vulnerable Package
	CVE-2025-8901	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Out-of-bounds Write in ANGLE in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to perform out-of-bounds memory access via a crafte... Attack Vector: NETWORK Attack Complexity: LOW ID: T%2Fi1bViaCZcUDsxWlE%2FRHcdR8DA%2FDifjXeiNdnYikSw%3D Vulnerable Package
	CVE-2025-9132	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Out-of-bounds Write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW ID: 139toI%2BehNaKsLW2%2BkqduFDRI3mUB26xfZhb0gwqFIg%3D Vulnerable Package
	CVE-2025-9478	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: %2BRoAqcYGBUSXrDp4uzx%2BZbPiRliqMGMQK8Ig89B2WDg%3D Vulnerable Package
	CVE-2025-9864	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use after free in V8 in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML pa... Attack Vector: NETWORK Attack Complexity: LOW ID: jhXREIXPPafL6XPkVD2hf%2FGnDWa1S6AaOjdPfiPoAqM%3D Vulnerable Package
	Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... ID: J8h77eFiSWyRh3XTl0AMwUPdp0s%3D Attack Vector
	Cx39aef355-ca85	Npm-@eslint/plugin-kit-0.2.8	details Recommended version: 0.3.4 Description: The "ConfigCommentParser#parseJSONLikeConfig" API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. This... Attack Vector: NETWORK Attack Complexity: LOW ID: KNUWoPjLBLyncEroq5MHu5FLEXd8DLJJheRLSNrzvQI%3D Vulnerable Package
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW ID: I26WWGvqOwFZxf2LV75hibVky%2Fj9bXCVc2r82mMjBtA%3D Vulnerable Package
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 376	details Method Lambda at line 376 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: Z9VmC795OVJLVmDXZjdcNiGEWdk%3D Attack Vector
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 376	details Method Lambda at line 376 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: iPRKI71c7hFVnui5lvgeoWr1yas%3D Attack Vector
	CVE-2025-30359	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: The webpack-dev-server allows users to use webpack with a development server that provides live reloading. The webpack-dev-server users' source cod... Attack Vector: NETWORK Attack Complexity: HIGH ID: pXM7JBTCcL%2BvWyO8P3ooF0YapAqauAA2K7ue40mut4c%3D Vulnerable Package
	CVE-2025-30360	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: Webpack-dev-server allows users to use webpack with a development server that provides live reloading. Webpack-dev-server users' source code may b... Attack Vector: NETWORK Attack Complexity: LOW ID: EfHLxB6KFdLC2VhNPl%2FwOziPuWLopMFSeCOaTwDoMdI%3D Vulnerable Package
	CVE-2025-5064	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Background Fetch API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to leak cross-origin data vi... Attack Vector: NETWORK Attack Complexity: LOW ID: DUd7%2BBuXJJ%2F9l7YSL%2BjnOF3xWQR%2B8QE6YfMO9o8gT9I%3D Vulnerable Package
	CVE-2025-5065	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in FileSystemAccess API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a... Attack Vector: NETWORK Attack Complexity: LOW ID: e05hbypcgwg0TP%2Bxn1VCJp80u5f2Cnha8ywXalT1uvc%3D Vulnerable Package
	CVE-2025-5066	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Messages in Google Chrome on Android prior to 137.0.7151.55 allowed a remote attacker who convinced a user to engag... Attack Vector: NETWORK Attack Complexity: LOW ID: YrAXlcorNNT96PrPUB9HVjuPrXvomGBz3Y8Rvhw%2BpjI%3D Vulnerable Package
	CVE-2025-5281	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in BFCache in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially obtain user information vi... Attack Vector: NETWORK Attack Complexity: LOW ID: wrXDfcWQWtTmsBeMCXGciFGhnO6F6MvjHLC5Vv7XMhk%3D Vulnerable Package
	CVE-2025-5283	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: 43J8FJ%2BDlq0jHg12XMhWOxZl9Q4LtPjN%2FbkL9ZiYSag%3D Vulnerable Package
	CVE-2025-55305	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML, and CSS. In versions prior to 35.7.5, 36.0.x prior ... Attack Vector: LOCAL Attack Complexity: LOW ID: i%2FZB6O6PygQ6e0fOhrIiOfMOgbdespmidLmLgkP%2BQPo%3D Vulnerable Package
	CVE-2025-6555	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Use After Free in Animation in Google Chrome prior to 138.0.7204.49, allowed a remote attacker to potentially exploit heap corruption via a crafted... Attack Vector: NETWORK Attack Complexity: LOW ID: zMO0E9e%2FEry%2B4mg8shh7tWIwKnx2lO4ThSX6z39lOMY%3D Vulnerable Package
	CVE-2025-6556	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a... Attack Vector: NETWORK Attack Complexity: LOW ID: 8ShqJ7HCoxl17XFpXmdEKrw3Pf66jk8eWlajyoEE4t4%3D Vulnerable Package
	CVE-2025-6557	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engag... Attack Vector: NETWORK Attack Complexity: LOW ID: oS2g2VBNh1eFZsKbg%2FQIMjceJkE19GwKW79ckMDuDgM%3D Vulnerable Package
	CVE-2025-8129	Npm-koa-2.16.1	details Recommended version: 2.16.2 Description: A vulnerability, which was classified as problematic, was found in KoaJS Koa versions through 2.16.1 and versions 3.0.0-alpha0 through 3.0.0. Affec... Attack Vector: NETWORK Attack Complexity: LOW ID: qXD7IOOUJ7wakyGLA4t%2Bno1%2BcydSgCbBywSP4gCbWdQ%3D Vulnerable Package
	CVE-2025-8577	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Picture In Picture in Google Chrome through 139.0.7258.65 allowed a remote attacker who convinced a user to engage ... Attack Vector: NETWORK Attack Complexity: LOW ID: 1dZ5KfMB3n6CYKabSFbNPSnsl%2FZw3HNOoiPDsfp8cFE%3D Vulnerable Package
	CVE-2025-8579	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: An inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to eng... Attack Vector: NETWORK Attack Complexity: LOW ID: V6nnhvrGcGKDx23KhKxTSxym5aYgejTf4%2FRCT%2FqyKWw%3D Vulnerable Package
	CVE-2025-8580	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: An inappropriate implementation in Filesystems in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a craft... Attack Vector: NETWORK Attack Complexity: LOW ID: EfPQkXpzyR4N4LhN8KsVrZDwQqrRKGucqIotTR%2BPyAY%3D Vulnerable Package
	CVE-2025-8581	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Extensions in Google Chrome through 139.0.7258.65 allowed a remote attacker who convinced a user to engage in speci... Attack Vector: NETWORK Attack Complexity: LOW ID: B46wMSCHffZvn6rTjUEzARRVUeHcJtJtXgZNAyLPcPw%3D Vulnerable Package
	CVE-2025-8582	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the O... Attack Vector: NETWORK Attack Complexity: LOW ID: OiaPdmtJScPGulcsEN4ztbYj9ie4FbsD%2BjPxNEVPkLo%3D Vulnerable Package
	CVE-2025-8583	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Permissions in Google Chrome through 139.0.7258.65 allowed a remote attacker to perform UI spoofing via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW ID: c1gQ%2F0WhauTxQyP%2FjypfyiTPUhEBAGy9pigP6unbar4%3D Vulnerable Package
	CVE-2025-8881	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in sp... Attack Vector: NETWORK Attack Complexity: LOW ID: R813%2FocVdKbZgnWggdCzOvNt6TBSyM1hydYylGkHnvw%3D Vulnerable Package
	CVE-2025-9865	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in the Toolbar in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker who convinced a user to en... Attack Vector: NETWORK Attack Complexity: LOW ID: oSWOBtPh1O5FQDBvTkXqc10FXZsEVcNc2SCFuzjf%2BEk%3D Vulnerable Package
	CVE-2025-9867	Npm-electron-36.4.0	details Recommended version: 36.9.0 Description: Inappropriate implementation in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a... Attack Vector: NETWORK Attack Complexity: LOW ID: xOzxnCDTZ3lKZA3QbxJDsaDypGiED4fnW%2F20vNN5bFw%3D Vulnerable Package
	Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... ID: ERUIOf8nz7H9qTeJgj9br44RfOU%3D Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... ID: 0J7MONsxfaUSQFRMXNuzAJ0kfRE%3D Attack Vector
	HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... ID: GaFGH21C7jMu1QpVRaBCDH%2Bd0W8%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipherService, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... ID: ffMicPQVC1a1AB3LVKrevGbg%2BUg%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 404	details The application takes sensitive, personal data cipher, found at line 404 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: PmcTdCqRh3w0qObU2pGQCV5Z0AY%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 388	details The application takes sensitive, personal data cipher, found at line 388 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: M2zYEc6jTV0xnozx2YLaKLoOmmQ%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 75	details The application takes sensitive, personal data password, found at line 75 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... ID: ujO3S48DoYDAJ1Cs%2FLyFXOahkU8%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 79	details The application takes sensitive, personal data password, found at line 79 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... ID: lkBnHxIV9NiZA5ehPMhNSkwSarI%3D Attack Vector
	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 680	details The web-application does not define an HSTS header, leaving it vulnerable to attack. ID: cLfIChUA0l5Q9Wrl5YMPxJpA3KU%3D Attack Vector
	Use_of_Broken_or_Risky_Cryptographic_Algorithm	/libs/node/src/services/node-crypto-function.service.ts: 339	details In toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even t... ID: zRwZAdQwKYvJllYvIfg2%2FX%2F5jFE%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts i... ID: TueNPioeoMowZHYDzj8jzna5%2Bgo%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 93	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.comp... ID: 9OJgz50Ba9cSI3oXH%2FL5PiXAMY4%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 78	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... ID: RmRXHNEUBCsm490STUuSJBvaQVw%3D Attack Vector
	CVE-2025-54798	Npm-tmp-0.2.3	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: LOCAL Attack Complexity: HIGH ID: CeRSDTRjG3jM6afIH87PyGU4kxEEKXQDPrM1HSFf%2FpE%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.0.33	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: LOCAL Attack Complexity: HIGH ID: Z%2BAUdY78jdXPD1EvBcGGzQyCdyy9DDofBWuzswmjOJo%3D Vulnerable Package
	CVE-2025-58752	Npm-vite-6.2.7	details Recommended version: 6.3.5 Description: Vite is a frontend tooling framework for JavaScript. In Vite versions through 5.4.19, 6.x through 6.3.5, 7.0.x through 7.0.6 and 7.1.x through 7.1.... Attack Vector: NETWORK Attack Complexity: LOW ID: xPBWQIqcGrcjsi1KbGrrKnUSthdolSvwlo%2BmzBptPDY%3D Vulnerable Package
	CVE-2025-7339	Npm-on-headers-1.0.2	details Recommended version: 1.1.0 Description: The on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions prior to 1.1.0 may result in r... Attack Vector: LOCAL Attack Complexity: LOW ID: L8UafNPCtoOpt2w0RWkQTQblcAeuleqbmRkAX%2BIJ4KI%3D Vulnerable Package
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68	details The application employs an HTML iframe at whose contents are not properly sandboxed ID: eC9rGjAaHK3DyR9G%2BtM7mnxXkNU%3D Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87	details The application employs an HTML iframe at whose contents are not properly sandboxed ID: mfl0i7Wn6Zj3Z71nx1CQn0bYd3s%3D Attack Vector
	Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: U3byH7dvuCyToCLYXtpVRtdSSIeKPhPL7km8CaW18xA%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: Y%2B82rtpYgA82Bfeg3Abw5P8KwHb3FEGklJtOZFw9gtE%3D Vulnerable Package
	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 680	details A Content Security Policy is not explicitly defined within the web-application. ID: 45BkgMnHA%2BsQFZ3hesvzCGCM76Q%3D Attack Vector

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud