documentacion publica · scanner coverage

Este documento se regenera automaticamente desde el codigo del scanner. Cada pattern esta mapeado a su CWE oficial, OWASP Top 10 2025 y OWASP LLM Top 10 donde aplica. Para ver los agregados de calibracion con data de clientes reales, ver nuestra scope page.

Scanner Coverage Reference

Auto-generado por scripts/generate-scanner-doc.mjs. No editar a mano. Ultimo update: 2026-04-28

Scanner de Vibe Coding Eye. Cubre 124 patterns mapeados a CWE y OWASP Top 10 2025 (10/10) + OWASP LLM Top 10 2025 (10/10).

OWASP Top 10 2025 Coverage

OWASPCategoriaPatterns
A01:2025Broken Access ControlAUTH-005, AUTH-007, AUTH-008, AUTH-009, AUTH-010, AUTH-014, INJ-007, LOVABLE-001, SUPA-FUNC-001, SUPA-RLS-001, SUPA-RLS-002, SUPA-RLS-003, SUPA-RLS-003, SUPA-RLS-004, SUPA-STORAGE-001
A02:2025Cryptographic FailuresAUTH-002, AUTH-011, AUTH-012, AUTH-012, BOLT-001, CRYPTO-001, CRYPTO-002, CRYPTO-003, INFRA-002, SEC-KEY-001, SEC-KEY-002, SEC-KEY-003, SEC-KEY-004, SESSION-003, SUPA-SERVICE-001, V0-001
A03:2025InjectionEMAIL-001, INJ-001, INJ-002, INJ-003, INJ-005, UPLOAD-002, UPLOAD-002, VAL-001, VAL-002, VAL-003, VAL-004, XSS-001
A04:2025Insecure DesignAI-COST-001, AI-RATELIMIT-001, API-004, API-RATE-002, API-RATE-003, UPLOAD-001, UPLOAD-001
A05:2025Security MisconfigurationAPI-CORS-001, CORS-002, CSP-001, CURSOR-001, SESSION-002, SUPA-VIEW-001, XSS-002
A06:2025Vulnerable ComponentsDEP-001, DEP-003, DEP-004, INJ-006
A07:2025Authentication FailuresAPI-RATE-001, AUTH-001, AUTH-003, AUTH-006, AUTH-013, SESSION-001, WEBHOOK-002
A08:2025Data Integrity FailuresINJ-004, RSC-001, SRI-001, WEBHOOK-001, WEBHOOK-003
A09:2025Logging/Monitoring FailuresAPI-003, SEC-KEY-005
A10:2025SSRFAPI-SSRF-001

OWASP LLM Top 10 2025 Coverage

Cobertura: 10/10 buckets.

LLMCategoriaPatterns
LLM01Prompt InjectionAGENT-DOC-001, AGENT-INST-001, AGENT-INST-002, AI-003, AI-CTX-001, AI-PROMPT-001
LLM02Sensitive Information DisclosureAI-PRIVACY-001
LLM03Supply ChainAI-PKG-001, AI-SERIAL-001
LLM04Data and Model PoisoningAI-RAG-001
LLM05Improper Output HandlingAI-004, AI-OUTPUT-001
LLM06Excessive AgencyAGENT-MCP-001, AI-TOOL-001, MCP-001
LLM07System Prompt LeakageAI-LEAK-001
LLM08Vector and Embedding WeaknessesAI-EMBED-001
LLM09MisinformationAI-OVERRELIANCE-001
LLM10Unbounded ConsumptionAI-COST-001, AI-RATELIMIT-001

All Patterns

ai (21)

IDSeverityConfidenceCWEOWASPName
AGENT-DOC-001medium--LLM01:2025 Prompt Injection (Indirect via Docs)README/docs con combinacion sospechosa de markers + invisibles/secret refs
AGENT-INST-001critical--LLM01:2025 Prompt Injection (Agent Instruction File)Agent instruction file con markers de prompt injection
AGENT-INST-002high--LLM01:2025 Prompt Injection (Hidden Characters)Agent instruction file con caracteres invisibles
AGENT-MCP-001high--LLM06:2025 Excessive Agency (MCP Config)MCP server config con command/url no allowlisted
AI-003highmediumCWE-94LLM01:2025Posible prompt injection — user input en system prompt
AI-004highhighCWE-79LLM05:2025 Improper Output HandlingOutput de LLM renderizado como HTML sin sanitizar
AI-COST-001mediumhighCWE-400A04:2025Llamada LLM sin max_tokens
AI-CTX-001high--LLM01:2025 Prompt Injection (Indirect)Indirect Prompt Injection: content externo al LLM sin sanitize
AI-EMBED-001medium--LLM08:2025 Vector and Embedding WeaknessesEmbedding endpoint publico sin auth/rate-limit
AI-LEAK-001medium--LLM07:2025 System Prompt LeakageSystem prompt con secretos / instrucciones sensibles hardcoded
AI-OUTPUT-001high--LLM05:2025 Improper Output HandlingLLM output renderizado como HTML sin sanitize
AI-OVERRELIANCE-001medium--LLM09:2025 MisinformationLLM response usada como fuente de verdad sin verification
AI-PI-001critical---User input en system prompt
AI-PI-002high---Output LLM renderizado como HTML sin sanitizar
AI-PRIVACY-001high--LLM02:2025 Sensitive Information DisclosureLLM/agent expone datos sensibles sin scope o redaction
AI-PROMPT-001high--LLM01:2025 Prompt InjectionPrompt Injection: user input directo al LLM sin filtrado
AI-RAG-001high--LLM04:2025 Data and Model PoisoningVector DB upsert con user content sin moderation (RAG poisoning)
AI-RATELIMIT-001highmediumCWE-770A04:2025LLM endpoint sin rate-limit ni auth gate (DoW vector)
AI-SERIAL-001critical--LLM03:2025 Supply ChainLangChain loads() con content potencialmente untrusted (CVE-2025-68664)
AI-TOOL-001high--LLM06:2025 Excessive AgencyTool handler con operacion destructiva sin confirmacion
MCP-001critical--LLM06:2025 Excessive Agency (MCP Tool Poisoning)MCP tool con directiva oculta en description

api (9)

IDSeverityConfidenceCWEOWASPName
API-003mediummediumCWE-209A09:2025Error leakage: route handler devuelve err.message o stack
API-SSRF-001highmediumCWE-918A10:2025Fetch con URL de usuario sin validar hostname
CHECKOUT-001critical---Checkout endpoint con amount / price_id desde el cliente
CI-001critical---GitHub Actions: script injection via untrusted ${{ github.event.* }}
CI-003critical---GitHub Actions: pullrequesttarget + checkout PR HEAD (RCE)
REDIRECT-001high---Open Redirect: redirect a URL derivada de request
WEBHOOK-001criticalhighCWE-345A08:2025Webhook de pago/proveedor sin verificacion HMAC
WEBHOOK-002highmediumCWE-294A07:2025Webhook handler sin proteccion de replay (idempotency)
WEBHOOK-003mediummediumCWE-345A08:2025Webhook payment handler sin reconciliacion de sku/amount

auth (23)

IDSeverityConfidenceCWEOWASPName
API-AUTH-001high---Server Action sin check de auth
AUTH-001highhighCWE-287A07:2025Password reset filtra existencia de email
AUTH-002mediummediumCWE-522A02:2025Session tokens en localStorage
AUTH-003highmediumCWE-287A07:2025Proteccion de rutas solo client-side
AUTH-005criticalhighCWE-306A01:2025Server Action / Route handler sin verificacion de auth en mutacion
AUTH-006highhighCWE-287A07:2025Auth client-side basado en localStorage
AUTH-007highmediumCWE-639A01:2025Server Action con ID del cliente sin check de ownership
AUTH-008criticalhighCWE-290A01:2025Next.js vulnerable a CVE-2025-29927 (middleware bypass)
AUTH-009highhighCWE-807A01:2025searchParams usado para decision de auth
AUTH-010mediummediumCWE-601A01:2025Open redirect via URL parameter
AUTH-011criticalhighCWE-327A02:2025JWT verify sin whitelisting de algoritmos
AUTH-012highmediumCWE-208A02:2025jwt.decode() sin jwt.verify() previo
AUTH-012mediummediumCWE-208A02:2025Comparacion de secret con === (timing attack)
AUTH-013highhighCWE-613A07:2025JWT firmado sin exp / expiresIn
AUTH-014highmediumCWE-601A01:2025OAuth callback redirige a URL sin validar
BOLA-001critical---BOLA / IDOR: route accepts object ID without ownership check
CI-005high---GitHub Actions: permissions write-all (excesivo)
CSRF-001medium---Express con sessions sin CSRF protection
RSC-001criticalhighCWE-502A08:2025React/Next.js vulnerable a RSC deserialization RCE (CVE-2025-55182)
SESSION-001highhighCWE-1004A07:2025Session / auth cookie sin httpOnly
SESSION-002mediumhighCWE-614A05:2025Cookie con flags inseguros (sameSite:none sin secure, o secure:false)
SESSION-003highhighCWE-922A02:2025JWT guardado en cookie sin httpOnly o en localStorage
SESSION-004medium---Express res.cookie() sin secure / httpOnly flags

cors (2)

IDSeverityConfidenceCWEOWASPName
API-CORS-001highmediumCWE-942A05:2025CORS con wildcard *
CORS-002criticalhighCWE-942A05:2025CORS: wildcard origin + credentials true

deps (8)

IDSeverityConfidenceCWEOWASPName
AI-PKG-001high--LLM03:2025 Supply ChainPaquete con nombre halucinado / slopsquatting-prone
CI-004medium---GitHub Actions: third-party action sin SHA pin
DEP-001mediumhighCWE-1104A06:2025Paquetes abandonados o deprecados
DEP-002low---Paquetes declarados pero no usados
DEP-003mediumhighCWE-1104A06:2025Deps de generador desactualizadas
DEP-004criticalhighCWE-1104A06:2025Dependencia con CVE publico reciente
DEP-CVE-001high---Dependencia con CVE publicado
DEP-PI-001high---package.json postinstall script con comandos sospechosos

infra (4)

IDSeverityConfidenceCWEOWASPName
CI-006low---GitHub Actions: deprecated set-output / save-state
CSP-001mediumhighCWE-79A05:2025CSP con unsafe-inline o unsafe-eval
INFRA-002highhighCWE-798A02:2025NEXTPUBLIC en vars sensibles
SRI-001mediummediumCWE-353A08:2025Script externo sin Subresource Integrity (SRI)

input-validation (26)

IDSeverityConfidenceCWEOWASPName
EMAIL-001highmediumCWE-93A03:2025Email header injection: user input en From/Subject/To
INJ-001criticalhighCWE-78A03:2025Command injection: child_process.exec/execSync con user input
INJ-002highhighCWE-22A03:2025Path traversal: fs.readFile / writeFile con user-input path
INJ-003criticalhighCWE-95A03:2025eval / Function constructor con user input
INJ-004highmediumCWE-1321A08:2025Posible prototype pollution: Object.assign/_.merge con user object
INJ-005criticalhighCWE-943A03:2025NoSQL injection: Mongo query con objeto del body
INJ-006highmediumCWE-1333A06:2025ReDoS: new RegExp(userInput) o RegExp con template literal
INJ-007highhighCWE-915A01:2025Mass assignment: ORM update con body sin validar
INJ-008medium---ReDoS: regex con backtracking exponencial
TAINT-EXEC-001critical---Command injection (taint-based, shell exec with user input)
TAINT-PT-001high---Path traversal (taint-based, fs read/write con user input)
TAINT-SQL-001critical---SQL injection (taint-based, inter-step via variables)
TAINT-XSS-001high---Reflected XSS (taint-based, res.send con user input via variables)
UPLOAD-001highmediumCWE-434A04:2025File upload sin validación de tipo / tamaño
UPLOAD-001mediummediumCWE-434A04:2025Upload endpoint sin validacion de tipo o tamano
UPLOAD-002highmediumCWE-79A03:2025Upload filename del cliente sin sanitizar (path traversal / overwrite)
UPLOAD-002highmediumCWE-79A03:2025Upload acepta SVG sin sanitize
VAL-001mediumlowCWE-20A03:2025API routes sin validacion Zod
VAL-002mediumlowCWE-20A03:2025Campos sin limite de longitud
VAL-003highhighCWE-79A03:2025dangerouslySetInnerHTML con valor dinamico
VAL-004criticalhighCWE-89A03:2025SQL injection: raw query con template literal sin tagged helper
VAL-005medium---Request body con type cast sin runtime validation (zod/yup)
XSS-001highhighCWE-79A03:2025react-markdown + rehype-raw sin rehype-sanitize
XSS-002lowlowCWE-1022A05:2025target=
XSS-003high---DOM XSS clasico: innerHTML / document.write / insertAdjacentHTML
XSS-004high---Reflected XSS en Express res.send/res.render

rate-limit (4)

IDSeverityConfidenceCWEOWASPName
API-004highhighCWE-400A04:2025GraphQL endpoint sin depth/complexity limit
API-RATE-001highmediumCWE-307A07:2025Endpoints auth sin rate limiting
API-RATE-002highhighCWE-400A04:2025Endpoints IA sin cost cap
API-RATE-003highhighCWE-770A04:2025Rate limiter in-memory en codigo serverless (bypass trivial)

rls (12)

IDSeverityConfidenceCWEOWASPName
LOVABLE-001criticalhighCWE-284A01:2025Lovable: migracion con CREATE TABLE sin ENABLE ROW LEVEL SECURITY
STORAGE-001high---Supabase Storage bucket sin policies definidas
STORAGE-002critical---Bucket público con nombre/uso de PII
SUPA-FUNC-001highhighCWE-732A01:2025Postgres function security definer sin revoke explicito
SUPA-RLS-001criticalhighCWE-284A01:2025RLS desactivado en tabla con datos
SUPA-RLS-002criticalhighCWE-284A01:2025Policy RLS con using (true)
SUPA-RLS-003highhighCWE-284A01:2025Tabla con user_id sin policy que lo referencia
SUPA-RLS-003criticalhighCWE-284A01:2025RLS policy universalmente permisiva
SUPA-RLS-004criticalhighCWE-269A01:2025RLS update policy sobre tabla con columna privilegiada (role/admin/plan)
SUPA-SERVICE-001criticalhighCWE-522A02:2025Supabase client con service_role sin server-only
SUPA-STORAGE-001highmediumCWE-284A01:2025Supabase storage bucket sin policies explicitas
SUPA-VIEW-001highhighCWE-732A05:2025View publica sin security_invoker: bypass de RLS

secrets (15)

IDSeverityConfidenceCWEOWASPName
BOLT-001highmediumCWE-798A02:2025Bolt: API key inline en componente Vite + cliente
CI-002high---GitHub Actions: secret echo to logs
CLIENT-ENV-001high---process.env en componente cliente
CRYPTO-001highmediumCWE-338A02:2025Math.random() usado en contexto de seguridad
CRYPTO-002highhighCWE-327A02:2025MD5 o SHA1 usado para hashing
CRYPTO-003criticalhighCWE-798A02:2025Secret / JWT_SECRET hardcodeado con valor trivial
CURSOR-001highmediumCWE-1188A05:2025Cursor: placeholder de secret dejado sin reemplazar
LOG-PII-001medium---console.log/error de objetos con PII / auth state
SEC-KEY-001criticalhighCWE-798A02:2025service_role de Supabase en codigo cliente
SEC-KEY-002criticalmediumCWE-522A02:2025API key de proveedor IA expuesta client-side
SEC-KEY-003highhighCWE-312A02:2025Probable secret en archivos versionados
SEC-KEY-004highhighCWE-798A02:2025Valor con forma de API key asignado a NEXTPUBLIC
SEC-KEY-005highmediumCWE-598A09:2025API key / token pasado como query param en URL
SECRET-GIT-001critical---Secretos en historia git (committed + revertidos)
V0-001highhighCWE-798A02:2025v0: API key hardcodeada en Client Component

Patterns with Authoritative References

AI-003 — Posible prompt injection — user input en system prompt

AI-COST-001 — Llamada LLM sin max_tokens

AI-RATELIMIT-001 — LLM endpoint sin rate-limit ni auth gate (DoW vector)

API-SSRF-001 — Fetch con URL de usuario sin validar hostname

AUTH-001 — Password reset filtra existencia de email

AUTH-005 — Server Action / Route handler sin verificacion de auth en mutacion

AUTH-006 — Auth client-side basado en localStorage

AUTH-007 — Server Action con ID del cliente sin check de ownership

AUTH-008 — Next.js vulnerable a CVE-2025-29927 (middleware bypass)

AUTH-010 — Open redirect via URL parameter

AUTH-011 — JWT verify sin whitelisting de algoritmos

AUTH-012 — jwt.decode() sin jwt.verify() previo

AUTH-012 — Comparacion de secret con === (timing attack)

CRYPTO-001 — Math.random() usado en contexto de seguridad

CSP-001 — CSP con unsafe-inline o unsafe-eval

INJ-004 — Posible prototype pollution: Object.assign/_.merge con user object

LOVABLE-001 — Lovable: migracion con CREATE TABLE sin ENABLE ROW LEVEL SECURITY

RSC-001 — React/Next.js vulnerable a RSC deserialization RCE (CVE-2025-55182)

SEC-KEY-003 — Probable secret en archivos versionados

SESSION-003 — JWT guardado en cookie sin httpOnly o en localStorage

SRI-001 — Script externo sin Subresource Integrity (SRI)

SUPA-FUNC-001 — Postgres function security definer sin revoke explicito

SUPA-RLS-001 — RLS desactivado en tabla con datos

SUPA-RLS-004 — RLS update policy sobre tabla con columna privilegiada (role/admin/plan)

SUPA-SERVICE-001 — Supabase client con service_role sin server-only

SUPA-VIEW-001 — View publica sin security_invoker: bypass de RLS

VAL-003 — dangerouslySetInnerHTML con valor dinamico

VAL-004 — SQL injection: raw query con template literal sin tagged helper

Categorias CWE cubiertas

  • CWE-1004
  • CWE-1022
  • CWE-1104
  • CWE-1188
  • CWE-1321
  • CWE-1333
  • CWE-20
  • CWE-208
  • CWE-209
  • CWE-22
  • CWE-269
  • CWE-284
  • CWE-287
  • CWE-290
  • CWE-294
  • CWE-306
  • CWE-307
  • CWE-312
  • CWE-327
  • CWE-338
  • CWE-345
  • CWE-353
  • CWE-400
  • CWE-434
  • CWE-502
  • CWE-522
  • CWE-598
  • CWE-601
  • CWE-613
  • CWE-614
  • CWE-639
  • CWE-732
  • CWE-770
  • CWE-78
  • CWE-79
  • CWE-798
  • CWE-807
  • CWE-89
  • CWE-915
  • CWE-918
  • CWE-922
  • CWE-93
  • CWE-94
  • CWE-942
  • CWE-943
  • CWE-95