Bug Pattern Catalog

Every bug class PullLight catches,
explained in plain English

12 patterns across Security, Concurrency, Data, and Auth — with real CVEs, vulnerable code, and the fix. This is what PullLight looks for in every pull request.

Paste a diff into /analyze — see how PullLight catches these live Try the analyzer →
Security
Prototype Pollution
Security
High severity
JSON input pollutes Object.prototype, bypassing property checks
SSRF via URL Parser
Security
High severity
URL fetch without hostname validation — attackers bypass DNS blocks
Path Traversal in File Read
Security
High severity
User-supplied path with ../ escapes directory, reads arbitrary files
SQL Injection via String Concat
Security
Critical severity
String-concatenated SQL accepts injected arbitrary queries
Command Injection in Child Process
Security
Critical severity
User input flows to exec(), shell metacharacters inject arbitrary commands
Regex Denial of Service
Security
Medium severity
Nested regex quantifiers cause exponential backtracking, blocking event loop
Unsafe Deserialization
Security
Critical severity
Deserializing untrusted data with pickle/yaml.unsafe_load/vm — RCE via gadget chains
Concurrency
Missing await — Race Condition
Concurrency
High severity
Promise returned without await silently continues with undefined
Data
Null Dereference After Optional Chain
Data
Medium severity
Optional chain breaks, subsequent method call throws TypeError
Auth
JWT None Algorithm Bypass
Auth
Critical severity
JWT accepts "none" algorithm, attacker forges admin token without signing
CORS Misconfiguration — Wildcard with Credentials
Auth
High severity
Dynamic origin + credentials: true enables cross-site data theft
Middleware Auth Bypass
Auth
Critical severity
Async middleware fires before auth resolves, request proceeds unauthenticated

See all 12 patterns caught automatically in every pull request

Analyze a diff now →
◈ PullLight — AI PR review, human approval, zero false positives Pricing · Changelog · Privacy