// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
high # ssrf TypeScript CVE-2026-44578
WebSocket Upgrade Handler SSRF
Next.js WebSocket upgrade path forwards the Host header to an internal service without validation — attacker can redirect the upgrade to any internal host.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const target = req.headers.host;
proxyWs(req, socket, head, { target });
After (fixed)
// AFTER (fixed)
const allowedHosts = new Set(['app.example.com']);
const host = req.headers.host?.split(':')[0];
if (!allowedHosts.has(host)) return socket.destroy();
proxyWs(req, socket, head, { target: host });
CVSS 8.6 CWE-918 May 2026 View walkthrough →
high # ssrf JavaScript CVE-2024-29415
SSRF via IPv4/IPv6 Canonicalization Bypass
The ip package's isPrivate() check normalizes IPv4-mapped IPv6 addresses incorrectly — attackers pass addresses that appear public but resolve to RFC-1918 space, bypassing SSRF guards.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
if (ip.isPrivate(userSuppliedIp)) {
  return res.status(403).send('Blocked');
}
fetch(`http://${userSuppliedIp}/internal-api`);
After (fixed)
// AFTER (fixed)
// Normalize IPv4-mapped IPv6 before the private check.
const normalized = normalizeIp(userSuppliedIp);
if (ip.isPrivate(normalized)) return res.status(403).send('Blocked');
fetch(`http://${normalized}/internal-api`);
CVSS 8.1 CWE-918 Apr 2024 View walkthrough →
high # auth-bypass TypeScript CVE-2025-29927
Auth Bypass via Middleware Logic Gap
Next.js middleware checks authentication on most paths but a logic branch for static asset prefixes skips the check — authenticated pages reachable without a session.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
if (req.nextUrl.pathname.startsWith('/_next')) {
  return NextResponse.next(); // skips auth!
}
return checkAuth(req);
After (fixed)
// AFTER (fixed)
// Auth check runs for ALL paths; static assets
// bypass the network check via CDN rewrite, not middleware.
return checkAuth(req);
CVSS 7.2 CWE-284 Mar 2025 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →