Examples
Real findings. Real evidence.
Every finding below is based on a real vulnerability pattern Composed identifies. Evidence, exploitation path, and fix recommendations.
- PR Context
- A POST endpoint concatenated user-supplied input directly into a raw SQL query.
- Evidence / Reproduction
- Submitted a single quote (`'`) which broke the query structure. Then injected UNION SELECT to extract the users table. The endpoint returned user email hashes and session tokens in the response body.
- Why it matters
- An attacker with no authentication could dump the entire user database, including credential hashes and session secrets.
- Recommended fix
- Replace string concatenation with parameterized queries. Never embed user input in SQL strings.
- PR Context
- The app accepted a URL parameter to fetch an external image for PDF rendering.
- Evidence / Reproduction
- Changed the URL from example.com/logo.png to the cloud metadata endpoint. The generated PDF contained instance metadata including IAM credentials.
- Why it matters
- An attacker can pivot from the application into the internal cloud metadata service, stealing credentials that grant access to the entire cloud environment.
- Recommended fix
- Allowlist permitted domains. Validate URL schemes. Run the PDF service in a sandboxed network with no access to metadata endpoints.
- PR Context
- The endpoint /api/users/{id}/profile returned the full user profile for any authenticated user.
- Evidence / Reproduction
- Created account A (userId=1001). Changed the request to /api/users/1002/profile. Account B's email, phone number, and billing address were returned. No authorization check.
- Why it matters
- Any authenticated user can enumerate all users and scrape personally identifiable information.
- Recommended fix
- Verify that the requesting user owns the resource before returning data. Use the session user ID, not the URL parameter.
- PR Context
- A file download endpoint accepted a filename parameter with no path sanitization.
- Evidence / Reproduction
- Replaced the filename with ../../../../etc/passwd. The endpoint returned the server's password file in the HTTP response.
- Why it matters
- An attacker can read arbitrary files from the server, including configuration files containing database credentials and API keys.
- Recommended fix
- Validate the resolved path is within the allowed directory. Use a filesystem allowlist.
- PR Context
- A commit added a .env file containing production AWS access keys and a database connection string.
- Evidence / Reproduction
- The commit message was 'chore: add env template'. The .env file contained AWS_ACCESS_KEY_ID and DATABASE_URL with plaintext credentials.
- Why it matters
- Anyone with read access to the repository can use these credentials to access production resources.
- Recommended fix
- Rotate all exposed credentials immediately. Add .env to .gitignore. Use a pre-commit hook to scan for secrets.
- PR Context
- An AI coding agent was configured with a tool that executed shell commands from user input.
- Evidence / Reproduction
- A PR description containing shell metacharacters caused the agent to execute arbitrary commands in the CI/CD environment.
- Why it matters
- A malicious PR description could cause the agent to run arbitrary commands with full production access.
- Recommended fix
- Use structured APIs instead of shell execution. Run agent tools in restricted containers with minimal permissions.
- PR Context
- A public repository had a bot that automatically responded to issue comments using an LLM.
- Evidence / Reproduction
- A comment with injection instructions caused the bot to output fabricated system file contents and perform unintended actions.
- Why it matters
- An attacker can manipulate the bot to leak information or perform actions on behalf of the integration's credentials.
- Recommended fix
- Never expose LLM agents to untrusted input without a sandbox. Use prompt isolation techniques.