guardvibe 3.19.0 → 3.21.0

package/CHANGELOG.md

@@ -5,6 +5,26 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.21.0] - 2026-06-18
+
+### Added — 3 rules from daily threat intel: Hono CORS reflection + @hono/node-server bypass (445 → 448 rules / 38 tools)
+- **VG1092 — Hono CORS origin reflection with credentials + June 2026 cluster (CVE-2026-54290 / GHSA-88fw-hqm2-52qc, high).** hono < 4.12.25 reflects any request Origin back with `Access-Control-Allow-Credentials: true` when `credentials:true` is set without an explicit allowlist (account-takeover-grade CORS); the release also re-fixes cache cross-user leak (CVE-2026-44457), JWT NumericDate (CVE-2026-44459), and bodyLimit bypass (CVE-2026-44456). **Distinct from VG1043 (pre-4.12.18 cluster):** flags exactly the residual 4.12.18–4.12.24 window, no double-firing. 0-FP semver: caret/tilde within 4.12 resolve to the fixed 4.12.25 → only exact/`=` pins flagged.
+- **VG1093 — @hono/node-server serveStatic middleware bypass via repeated slashes (GHSA-92pp-h63x-v22m, high).** @hono/node-server < 1.19.13 lets a request like `//admin/secret.txt` skip route-based middleware (auth guards) and serve protected static files. Fixed in 1.19.13. 0-FP semver: caret on 1.x and tilde within 1.19 resolve to the fix → only exact/`=` pins (plus tilde within 1.0–1.18 and any range on 0.x) flagged.
+- **VG1094 — CORS origin reflection with credentials (behavioral, CVE-2026-54290, high).** Code-level companion to VG1092: flags `cors({ credentials:true })` combined with a reflected origin (`origin: true` or an arrow function that returns its origin argument unchanged), the exact misconfiguration that made CVE-2026-54290 exploitable on any CORS middleware (Hono, Express). Targets the reflected-origin forms VG973 (wildcard literal) cannot see; allowlist-guarded functions are not flagged.
+- 31 new tests. CVE version-pin rule count 74 → 76. Sourced from the daily GHSA/OSV/CISA-KEV intel brief and verified against the upstream advisories; everything else in that brief — axios CVE-2025-62718/42264/25639 (already covered by VG1042/VG1091), Next.js RSC cache poisoning CVE-2026-44576/44577/44582 (already covered by VG1047 `< 15.5.18 / 16.2.6`), Drizzle CVE-2026-39356, Clerk bypass cluster, Vercel AI SDK filetype, Anthropic SDK memory tool, postcss XSS — was already covered. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.20.0] - 2026-06-14
+
+### Added — 3 fresh CVE version-pin rules from daily threat intel (442 → 445 rules / 38 tools)
+- **VG1089 — js-cookie `assign()` prototype hijack → cookie-attribute injection (CVE-2026-46625 / GHSA-qjx8-664m-686j, high).** js-cookie < 3.0.7 enumerates `Object.prototype` keys through the internal `assign()` helper, so a pollution gadget can inject `domain=`/`path=`/`secure=`/`samesite=`/`expires=` attributes into written cookies. Fixed in 3.0.7. 0-FP semver: only exact/`=` pins in the 3.0.x line are flagged (a caret/tilde there resolves to the fixed 3.0.7); 0.x–2.x majors are flagged with any range.
+- **VG1090 — PostCSS XSS via unescaped `</style>` in stringify output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93, medium).** postcss < 8.5.10 does not escape `</style>` when serializing a CSS AST; an app that re-emits user CSS into an inline `<style>` block can be broken out of for stored/reflected XSS. Fixed in 8.5.10. 0-FP semver: caret on the 8.x line resolves to the fix, so only exact/`=` pins (plus tilde within 8.0–8.4) on 8.x are flagged; 1.x–7.x majors flagged with any range.
+- **VG1091 — Axios HTTP-adapter proxy prototype-pollution gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh, high).** axios < 1.16.0 reads `config.proxy` in the Node HTTP adapter without an own-property check; a `Object.prototype.proxy` gadget routes every request through an attacker-controlled proxy (MITM / credential theft). Fixed in 1.16.0. **Distinct from VG1042 (pre-1.15.2 cluster):** a project that pinned 1.15.2 on VG1042's advice is still exposed, so this rule flags exactly the residual 1.15.2–1.15.x window (caret resolves to the fixed 1.16.0 → not flagged), with no double-firing against VG1042.
+- 26 new pattern tests in `tests/rules/cve-versions.test.ts` (detect affected pins, ignore patched + caret-resolves-to-fixed + adjacent-rule overlap). CVE version-pin rule count 71 → 74. All three sourced from the daily GHSA/OSV/CISA-KEV intel brief and verified against the upstream advisories; everything else in that brief (Clerk ×3, Drizzle, Next/RSC cluster, React RCE, Anthropic SDK memory tool, Vercel AI SDK filetype, MCP path traversal, Miasma) was already covered. Zero new runtime dependencies.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.19.0] - 2026-06-10
 
 ### Added — secure_prompt: prompt-level security, shift left (442 rules / 37 → 38 tools)

package/README.md

@@ -13,20 +13,21 @@
 - **🎯 Deterministic, not probabilistic.** Same code = same result, every run (content-hashed). Your AI guesses; GuardVibe doesn't.
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
+- **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 442 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
+**The security MCP built for vibe coding.** 448 security rules, 38 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
 ## Why a tool, when your AI is so good?
 
-"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later.
+"More rules" was never the moat — a strong model already knows most security rules by heart. What it *can't* do is be deterministic, know the CVE published after its training cutoff, hold your whole repo in context, or objectively review the code it just wrote. Those four gaps are structural; they don't close as models improve. GuardVibe is the layer that fills them — running *while* your AI codes, not in a separate audit later. And since v3.19, it runs *before* your AI codes too: `secure_prompt` rewrites the task itself so the security requirements are in the prompt, not in the post-mortem.
 
 ## Why GuardVibe
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **442 security rules, 38 tools** purpose-built for the stacks AI agents generate
+- **448 security rules, 38 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -64,7 +65,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 71 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 442 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 448 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -287,7 +288,7 @@ Same user intent — but the model now generates auth code with the guardrails s
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (442 rules across 25 modules)
+## Security Rules (448 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|

package/build/data/rules/cve-versions.js

@@ -829,4 +829,64 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"vite": "^5.4.9"  // or ^6',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1089",
+        name: "js-cookie assign() Prototype Hijack — Cookie Attribute Injection (CVE-2026-46625 / GHSA-qjx8-664m-686j)",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "js-cookie versions before 3.0.7 are vulnerable to a per-instance prototype hijack in the internal assign() helper. assign() copies properties with a for…in loop plus plain assignment, so any key planted on Object.prototype is enumerated and copied into the merged attributes object. When set() later serialises that object, attacker-polluted keys land in the Set-Cookie string as attribute pairs — letting an attacker force domain=, path=, secure=, samesite=, or expires= on cookies the application writes (cookie scoping abuse / fixation). Fixed in 3.0.7. Only exact (or =) pins in the 3.0.x line are flagged — a caret/tilde range there resolves to the fixed 3.0.7; older 0.x–2.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']js-cookie["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[0-2]\.\d+\.\d+|=?\s*3\.0\.[0-6])["']/g,
+        languages: ["json"],
+        fix: "Upgrade js-cookie to 3.0.7 or later: npm install js-cookie@latest. As defence-in-depth, freeze Object.prototype at bootstrap (Object.freeze(Object.prototype)) and never spread untrusted objects into cookie-attribute options.",
+        fixCode: '// package.json\n"js-cookie": "^3.0.7"  // or latest\n\n// Defence-in-depth — block prototype writes at startup\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.2"],
+    },
+    {
+        id: "VG1090",
+        name: "PostCSS XSS via Unescaped </style> in Stringify Output (CVE-2026-41305 / GHSA-qx2v-qp2m-jg93)",
+        severity: "medium",
+        owasp: "A03:2025 Injection",
+        description: "postcss versions before 8.5.10 do not escape a </style> sequence when stringifying a CSS AST back to text. An app that parses user-submitted CSS and re-emits it into an inline <style> block lets an attacker close the style element early with </style> and inject arbitrary markup/script — a stored or reflected XSS. Fixed in 8.5.10. Caret ranges on the 8.x line resolve to the fixed 8.5.10, so only exact/= pins (and tilde within 8.0–8.4) on the 8.x line are flagged; 1.x–7.x majors are flagged with any range since they never reach the fix.",
+        pattern: /["']postcss["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[1-7]\.\d+\.\d+|~?\s*8\.[0-4]\.\d+|=?\s*8\.5\.[0-9](?![0-9]))["']/g,
+        languages: ["json"],
+        fix: "Upgrade postcss to 8.5.10 or later: npm install postcss@latest. If you embed processed CSS in an inline <style> tag, also HTML-escape </style> (or serve the CSS from an external stylesheet) as defence-in-depth.",
+        fixCode: '// package.json\n"postcss": "^8.5.10"  // or latest',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG1091",
+        name: "Axios HTTP-Adapter Proxy Prototype-Pollution Gadget (CVE-2026-44494 / GHSA-35jp-ww65-95wh)",
+        severity: "high",
+        owasp: "A10:2025 SSRF",
+        description: "axios versions before 1.16.0 read config.proxy in the Node HTTP adapter without an own-property check. Because `proxy` is not set in axios defaults, a prototype-pollution gadget elsewhere in the process (Object.prototype.proxy = {...}) is picked up on every request, routing traffic through an attacker-controlled proxy — full MITM, credential theft, and response tampering. Fixed in 1.16.0 (own-property checks for proxy/socketPath/transport). Distinct from VG1042 (the pre-1.15.2 cluster): a project that took VG1042's advice and pinned 1.15.2–1.15.x is STILL exposed to this gadget, so this rule flags exactly that residual window (1.15.2 through 1.15.x). Caret ranges resolve to the fixed 1.16.0 and are not flagged.",
+        pattern: /["']axios["']\s*:\s*["'](?:~|=)?\s*1\.15\.(?:[2-9]|[1-9]\d)["']/g,
+        languages: ["json"],
+        fix: "Upgrade axios to 1.16.0 or later: npm install axios@latest. As defence-in-depth, freeze Object.prototype at startup so a pollution gadget cannot inject a proxy: Object.freeze(Object.prototype).",
+        fixCode: '// package.json\n"axios": "^1.16.0"  // or latest\n\n// Defence-in-depth — block prototype writes at bootstrap\nObject.freeze(Object.prototype);',
+        compliance: ["SOC2:CC6.1", "SOC2:CC7.1", "PCI-DSS:Req6.2"],
+    },
+    {
+        id: "VG1092",
+        name: "Hono CORS Origin Reflection With Credentials + June 2026 Cluster (CVE-2026-54290 / GHSA-88fw-hqm2-52qc)",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Hono versions before 4.12.25 ship a CORS middleware that, when credentials:true is set without an explicit origin allowlist, reflects ANY request Origin header back with Access-Control-Allow-Credentials:true — letting any site issue credentialed cross-origin requests (account-takeover-grade CSRF/CORS, CVE-2026-54290). The same release also re-fixes the cache cross-user leak (CVE-2026-44457), JWT NumericDate validation (CVE-2026-44459), and bodyLimit bypass (CVE-2026-44456). Distinct from VG1043 (the pre-4.12.18 cluster): a project that took VG1043's advice and pinned 4.12.18 is STILL exposed to the CORS reflection, so this rule flags exactly that residual window (4.12.18 through 4.12.24). Caret and tilde ranges within 4.12 resolve to the fixed 4.12.25 and are not flagged — only exact/= pins are.",
+        pattern: /["']hono["']\s*:\s*["']=?\s*4\.12\.(?:1[89]|2[0-4])["']/g,
+        languages: ["json"],
+        fix: "Upgrade Hono to 4.12.25 or later: npm install hono@latest. Until upgraded, never combine cors({ credentials: true }) with a wildcard or reflected origin — pass an explicit origin allowlist.",
+        fixCode: '// package.json\n"hono": "^4.12.25"  // or latest\n\n// Safe CORS — explicit allowlist, never reflect arbitrary origins with credentials\nimport { cors } from "hono/cors";\napp.use("/api/*", cors({\n  origin: ["https://myapp.com"],\n  credentials: true,\n}));',
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6", "PCI-DSS:Req6.2"],
+    },
+    {
+        id: "VG1093",
+        name: "@hono/node-server serveStatic Middleware Bypass via Repeated Slashes (GHSA-92pp-h63x-v22m)",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "@hono/node-server versions before 1.19.13 mishandle paths containing repeated slashes, so a request like //admin/secret.txt bypasses route-based middleware (auth/authorization guards) and serves protected static files directly through serveStatic. Any app that gates a static directory with middleware is exposed. Fixed in 1.19.13. Caret ranges on the 1.x line and tilde ranges within 1.19 resolve to the fixed 1.19.13, so only exact/= pins (and tilde within 1.0–1.18, plus any range on 0.x) are flagged.",
+        pattern: /["']@hono\/node-server["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*0\.\d+\.\d+|(?:~|=)?\s*1\.(?:[0-9]|1[0-8])\.\d+|=?\s*1\.19\.(?:[0-9]|1[0-2])(?![0-9]))["']/g,
+        languages: ["json"],
+        fix: "Upgrade @hono/node-server to 1.19.13 or later: npm install @hono/node-server@latest. As defence-in-depth, normalize incoming paths (collapse repeated slashes) before middleware authorization checks.",
+        fixCode: '// package.json\n"@hono/node-server": "^1.19.13"  // or latest',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.2", "HIPAA:§164.312(a)"],
+    },
 ];

package/build/data/rules/modern-stack.js

@@ -221,6 +221,18 @@ export const modernStackRules = [
         fixCode: 'import { cors } from "hono/cors";\n\napp.use("/*", cors({\n  origin: ["https://myapp.com", "https://staging.myapp.com"],\n}));',
         compliance: ["SOC2:CC6.6"],
     },
+    {
+        id: "VG1094",
+        name: "CORS Origin Reflection With Credentials (CVE-2026-54290)",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "cors() is configured with credentials:true AND an origin that reflects the caller — either origin:true or an arrow function that returns its origin argument unchanged (origin: (o) => o). This combination echoes any request's Origin back together with Access-Control-Allow-Credentials:true, so any website can make authenticated cross-origin requests on the victim's behalf (account-takeover-grade CSRF). This is the exact misconfiguration that made Hono CVE-2026-54290 exploitable, and it is dangerous on any CORS middleware (Hono, Express). The wildcard literal origin:'*' form is covered separately by VG973; this rule targets the reflected-origin forms that VG973 cannot see.",
+        pattern: /cors\s*\(\s*\{(?=[\s\S]{0,400}?credentials\s*:\s*true)[\s\S]{0,400}?origin\s*:\s*(?:true\b|\(\s*(\w+)\s*\)\s*=>\s*\1\b)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never combine credentials:true with a reflected origin. Pass an explicit allowlist of trusted origins, or validate the incoming origin against an allowlist before returning it.",
+        fixCode: 'import { cors } from "hono/cors";\n\nconst ALLOWED = new Set(["https://myapp.com", "https://app.myapp.com"]);\napp.use("/api/*", cors({\n  origin: (origin) => (ALLOWED.has(origin) ? origin : null),\n  credentials: true,\n}));',
+        compliance: ["SOC2:CC6.1", "SOC2:CC6.6", "PCI-DSS:Req6.2"],
+    },
     // =====================================================
     // GraphQL Security
     // =====================================================

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.19.0",
+  "version": "3.21.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 448 rules, 38 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 76 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",
@@ -111,7 +111,7 @@
     "zod": "^3.25.0"
   },
   "overrides": {
-    "hono": "^4.12.21",
+    "hono": "^4.12.25",
     "fast-uri": "^3.1.2",
     "ip-address": "^10.2.0"
   },
@@ -119,7 +119,7 @@
     "@types/node": "^25.5.2",
     "c8": "^11.0.0",
     "eslint": "^10.2.0",
-    "tsx": "^4.21.0",
+    "tsx": "^4.22.4",
     "typescript-eslint": "^8.58.0"
   },
   "engines": {