AnimaNexus
00%
Calibrating digital guardians…
Trust & Safety

Security audit report

Live remediation log for the ANIMA Nexus platform. All listed findings have been verified and patched.

Findings fixed
5 / 5
Tables under RLS
100%
Open critical
0
highSupabase Storage RLS

Storage uploads not scoped to user

Problem: Authenticated users could write objects under any folder in the anima-media bucket.

Remediation: Tightened storage RLS so uploads, updates and deletes are only permitted when the first path segment equals the user's auth.uid().

id: anima_media_upload_no_ownership·fixed 2025-01-12
fixed
mediumDatabase RLS

Anonymous inserts on contact_messages

Problem: Contact form accepted writes from anonymous clients without an explicit policy.

Remediation: Restricted INSERT to authenticated users, removed SELECT for public roles, and added service-role-only read access.

id: contact_messages_no_select_policy·fixed 2025-01-12
fixed
highDatabase schema + RLS

Reporter contact info exposed via lost_reports

Problem: Phone/email columns on lost_reports were readable by any authenticated viewer of a public report.

Remediation: Moved sensitive contact info to a private lost_report_contacts table. Only the report owner and service role can read it; messages are relayed through the platform.

id: lost_reports_contact_exposure·fixed 2025-01-12
fixed
highnpm dependencies

High-severity undici advisory via @tanstack/react-start

Problem: Transitive undici versions were flagged for prototype pollution / SSRF.

Remediation: Upgraded @tanstack/react-start to 1.168.26 and aligned router-core / react-router versions.

id: vulnerable_dependencies_high·fixed 2025-01-12
fixed
mediumnpm dependencies

Medium-severity undici regressions

Problem: Older undici releases shipped patches the project hadn't picked up.

Remediation: Same TanStack upgrade pulled in patched undici across all transitives.

id: vulnerable_dependencies_medium·fixed 2025-01-12
fixed

Disclosure policy

Report suspected vulnerabilities to adityagupta1234.in@gmail.com. We acknowledge within 48 hours and publish remediation here once verified.