// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
critical # auth-bypass TypeScript CVE-2026-1774
Prototype Pollution → Authorization Bypass in CASL
@casl/ability's rule-building path merges attacker-controlled condition objects without sanitizing prototype keys — pollutes Object.prototype, causing all subsequent ability checks to return true.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
// Attacker payload: { "__proto__": { "can": true } }
ability.update(attackerConditions);
ability.can('delete', 'Post'); // returns true for all users!
After (fixed)
// AFTER (fixed)
import { freeze } from '@casl/ability';
ability.update(freeze(attackerConditions));
CVSS 9.8 CWE-1321 Feb 2026 View walkthrough →
high # ssrf TypeScript CVE-2026-44578
WebSocket Upgrade Handler SSRF
Next.js WebSocket upgrade path forwards the Host header to an internal service without validation — attacker can redirect the upgrade to any internal host.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
const target = req.headers.host;
proxyWs(req, socket, head, { target });
After (fixed)
// AFTER (fixed)
const allowedHosts = new Set(['app.example.com']);
const host = req.headers.host?.split(':')[0];
if (!allowedHosts.has(host)) return socket.destroy();
proxyWs(req, socket, head, { target: host });
CVSS 8.6 CWE-918 May 2026 View walkthrough →
high # auth-bypass TypeScript CVE-2025-29927
Auth Bypass via Middleware Logic Gap
Next.js middleware checks authentication on most paths but a logic branch for static asset prefixes skips the check — authenticated pages reachable without a session.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
if (req.nextUrl.pathname.startsWith('/_next')) {
  return NextResponse.next(); // skips auth!
}
return checkAuth(req);
After (fixed)
// AFTER (fixed)
// Auth check runs for ALL paths; static assets
// bypass the network check via CDN rewrite, not middleware.
return checkAuth(req);
CVSS 7.2 CWE-284 Mar 2025 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →