Security audit report
Live remediation log for the ANIMA Nexus platform. All listed findings have been verified and patched.
Storage uploads not scoped to user
Problem: Authenticated users could write objects under any folder in the anima-media bucket.
Remediation: Tightened storage RLS so uploads, updates and deletes are only permitted when the first path segment equals the user's auth.uid().
Anonymous inserts on contact_messages
Problem: Contact form accepted writes from anonymous clients without an explicit policy.
Remediation: Restricted INSERT to authenticated users, removed SELECT for public roles, and added service-role-only read access.
Reporter contact info exposed via lost_reports
Problem: Phone/email columns on lost_reports were readable by any authenticated viewer of a public report.
Remediation: Moved sensitive contact info to a private lost_report_contacts table. Only the report owner and service role can read it; messages are relayed through the platform.
High-severity undici advisory via @tanstack/react-start
Problem: Transitive undici versions were flagged for prototype pollution / SSRF.
Remediation: Upgraded @tanstack/react-start to 1.168.26 and aligned router-core / react-router versions.
Medium-severity undici regressions
Problem: Older undici releases shipped patches the project hadn't picked up.
Remediation: Same TanStack upgrade pulled in patched undici across all transitives.
Disclosure policy
Report suspected vulnerabilities to adityagupta1234.in@gmail.com. We acknowledge within 48 hours and publish remediation here once verified.