axim-rest-framework
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded database credentials detected in 'demo/src/main/resources/application.properties', which includes a fallback password '1qw2!QW@'. Using default credentials poses a risk if these configurations are inadvertently deployed to production environments.
- [DATA_EXFILTRATION]: High-severity authentication bypass vulnerability in 'rest-api/src/main/java/one/axim/framework/rest/handler/XBaseAccessTokenHandler.java'. If the 'axim.rest.session.secret-key' configuration is omitted, the framework defaults to processing session tokens without HMAC-SHA256 signature verification. This allows an attacker to forge a valid session token by providing a Base64-encoded JSON payload containing arbitrary user data.
- [DATA_EXFILTRATION]: Exposure of sensitive user data through unmasked logging in 'rest-api/src/main/java/one/axim/framework/rest/filters/XRequestFilter.java'. In non-production profiles (anything other than 'prod'), the filter captures and logs the full body of JSON requests. These logs include sensitive fields such as passwords or tokens in plaintext, as the filter only applies masking to HTTP headers and not to the request body content.
- [EXTERNAL_DOWNLOADS]: Automatically downloads the Gradle build tool from the official 'services.gradle.org' domain via the wrapper configuration.
- [EXTERNAL_DOWNLOADS]: Fetches framework documentation and MCP server metadata from 'context7.com'.
Recommendations
- AI detected serious security threats
Audit Metadata