Claude-Flow Security Audit Report

Date: 2026-01-03 Version: v2.7.47 Auditor: Code Reviewer Agent Scope: Comprehensive security review of Claude-Flow codebase

Executive Summary

This security audit identified 7 high-priority vulnerabilities, 13 dependency vulnerabilities (7 high, 3 moderate, 3 low), and several architectural security concerns that should be addressed before v3 release. While the codebase demonstrates good security practices in some areas (timing-safe comparisons, key redaction, permission management), critical issues exist in authentication, dependency management, and input validation.

Risk Level: HIGH - Immediate action required on critical vulnerabilities.

1. Critical Vulnerabilities

1.1 Dependency Vulnerabilities (CRITICAL)

Location: package.json Severity: HIGH CVE/Advisory:

• @anthropic-ai/claude-code (v2.0.1): GHSA-7mv8-j34q-vp7q - Sed Command Validation Bypass (CWE-78)
• @modelcontextprotocol/sdk (v1.0.4): GHSA-w48q-cv73-mx4w - DNS Rebinding vulnerability (CWE-350, CWE-1188)

Impact:

• Command injection via sed validation bypass
• DNS rebinding attacks allowing unauthorized access
• Total of 13 known vulnerabilities in dependencies

Recommendation:

# Immediate fix required
npm update @anthropic-ai/claude-code@^2.0.31
npm update @modelcontextprotocol/sdk@^1.24.0
npm audit fix --force

Priority: IMMEDIATE

1.2 Weak Password Hashing Implementation

Location: src/api/auth-service.ts:580-588 Severity: CRITICAL CWE: CWE-916 (Use of Password Hash With Insufficient Computational Effort)

Vulnerable Code:

// Line 580-588
private async hashPassword(password: string): Promise<string> {
  // In a real implementation, use bcrypt
  return createHash('sha256').update(password + 'salt').digest('hex');
}

private async verifyPassword(password: string, hash: string): Promise<boolean> {
  // In a real implementation, use bcrypt.compare
  const passwordHash = createHash('sha256').update(password + 'salt').digest('hex');
  return this.constantTimeCompare(passwordHash, hash);
}

Issues:

1. Uses SHA-256 instead of bcrypt/argon2
2. Hardcoded salt 'salt' - not per-user random salt
3. No key derivation function (KDF)
4. Vulnerable to rainbow table attacks
5. Comment acknowledges it's not production-ready

Impact:

• Password hashes can be cracked in seconds with modern GPUs
• All passwords use same salt, enabling batch cracking
• No computational cost barrier against brute force

Recommendation:

import bcrypt from 'bcrypt';

private async hashPassword(password: string): Promise<string> {
  const rounds = this.config.bcryptRounds || 12;
  return await bcrypt.hash(password, rounds);
}

private async verifyPassword(password: string, hash: string): Promise<boolean> {
  return await bcrypt.compare(password, hash);
}

Priority: CRITICAL - Do not use in production until fixed

1.3 Hardcoded Default Credentials

Location: src/api/auth-service.ts:602-643 Severity: HIGH CWE: CWE-798 (Use of Hard-coded Credentials)

Vulnerable Code:

// Line 602-643
private initializeDefaultUsers(): void {
  // Create default admin user
  const adminUser: User = {
    id: 'admin_default',
    email: '[email protected]',
    passwordHash: createHash('sha256').update('admin123' + 'salt').digest('hex'),
    role: 'admin',
    // ...
  };

  // Create default service user
  const serviceUser: User = {
    id: 'service_default',
    email: '[email protected]',
    passwordHash: createHash('sha256').update('service123' + 'salt').digest('hex'),
    role: 'service',
    // ...
  };
}

Default Credentials:

• Admin: [email protected] / admin123
• Service: [email protected] / service123

Impact:

• Trivial to gain admin access
• Credentials are in public GitHub repository
• Automated scanners will find these immediately

Recommendation:

1. Force password change on first login
2. Generate random passwords and display once during installation
3. Require environment variable for initial admin password
4. Add warning banner if default credentials are still in use

Priority: CRITICAL

2. High-Priority Security Concerns

2.1 Command Injection Risks

Location: Multiple files Severity: HIGH CWE: CWE-78 (OS Command Injection)

Vulnerable Locations:

1. src/cli/commands/hook.ts:184-187 - Spawning npx with shell:true
2. src/enterprise/security-manager.ts:1093-1125 - npm audit execution
3. src/utils/error-recovery.ts:110,128,246,284 - execSync calls

Vulnerable Code Example:

// src/cli/commands/hook.ts:184
const child = spawn('npx', ['ruv-swarm', 'hook', ...args], {
  stdio: 'inherit',
  shell: true,  // DANGEROUS - enables command injection
});

Attack Vector:

# Attacker-controlled input could inject commands
claude-flow hook pre-task --description "test; whoami; echo"

Recommendation:

// Remove shell: true
const child = spawn('npx', ['ruv-swarm', 'hook', ...args], {
  stdio: 'inherit',
  shell: false,  // SAFE - no shell interpretation
});

// For complex commands, use explicit validation
function sanitizeShellArg(arg: string): string {
  return arg.replace(/[;&|`$()]/g, '\\$&');
}

Priority: HIGH

2.2 SQL Injection Prevention (GOOD - But Needs Review)

Location: src/memory/backends/sqlite.ts Severity: LOW (Good practices used) Status: ✅ SECURE

Analysis: The SQLite backend correctly uses parameterized queries:

// Line 86-90 - GOOD: Parameterized query
const sql = `
  INSERT OR REPLACE INTO memory_entries (
    id, agent_id, session_id, type, content, ...
  ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
`;
const stmt = this.db.prepare(sql);
stmt.run(...params);

Observation: ✅ All queries use parameterized statements, preventing SQL injection.

Minor Concern: Line 189-196 constructs LIKE queries with user input:

if (query.search) {
  conditions.push('(content LIKE ? OR tags LIKE ?)');
  params.push(`%${query.search}%`, `%${query.search}%`);
}

Recommendation: Add input validation to limit special SQL characters in search strings.

2.3 Path Traversal Vulnerabilities

Location: Multiple file operations Severity: MEDIUM CWE: CWE-22 (Path Traversal)

Vulnerable Locations:

1. src/cli/commands/task.ts:67 - Workflow file loading
2. src/enterprise/security-manager.ts - File path construction
3. src/memory/backends/markdown.ts - File operations

Vulnerable Code:

// src/cli/commands/task.ts:66-68
.action(async (workflowFile: string, options: any) => {
  const content = await fs.readFile(workflowFile, 'utf-8');
  // No path validation - could read any file
});

Attack Vector:

# Read sensitive files
claude-flow task workflow ../../../etc/passwd
claude-flow task workflow ~/.ssh/id_rsa

Recommendation:

import { resolve, join, normalize } from 'path';

function validateFilePath(userPath: string, allowedDir: string): string {
  const resolvedPath = resolve(normalize(userPath));
  const resolvedBase = resolve(allowedDir);

  if (!resolvedPath.startsWith(resolvedBase)) {
    throw new Error('Path traversal detected');
  }

  return resolvedPath;
}

// Usage
const safePath = validateFilePath(workflowFile, process.cwd());
const content = await fs.readFile(safePath, 'utf-8');

Priority: HIGH

2.4 Environment Variable Exposure

Location: Multiple files Severity: MEDIUM CWE: CWE-532 (Information Exposure Through Log Files)

Analysis: Found 50+ process.env. references. Key concerns:

// bin/github/github-api.js:19
this.token = token || process.env.GITHUB_TOKEN;
// No validation or sanitization before use

// tests/security/init-security.test.js:360-362
process.env.API_KEY = 'secret-key-123';
process.env.PASSWORD = 'secret-password';
process.env.TOKEN = 'secret-token';
// Test secrets may leak in CI logs

Good Practice Found: ✅ Key redaction system exists: src/utils/key-redactor.ts

Recommendation:

1. Use centralized environment variable loader with validation
2. Never log environment variables directly
3. Sanitize all test secrets in CI logs
4. Use .env.example files instead of hardcoded values

Priority: MEDIUM

2.5 Insufficient Input Validation

Location: src/cli/commands/config.ts Severity: MEDIUM CWE: CWE-20 (Improper Input Validation)

Vulnerable Code:

// Line 32-39
.action(async (key: string, value: string) => {
  let parsedValue: any = value;
  try {
    parsedValue = JSON.parse(value);
  } catch {
    // Keep as string if not valid JSON
  }
  await configManager.set(key, parsedValue);

Issues:

1. No validation of key names (could overwrite critical settings)
2. No type checking of values
3. Arbitrary JSON parsing could cause prototype pollution
4. No authentication/authorization check

Attack Vector:

# Overwrite critical config
claude-flow config set "authConfig.jwtSecret" "hacked"

# Prototype pollution
claude-flow config set "__proto__.isAdmin" "true"

Recommendation:

const ALLOWED_CONFIG_KEYS = ['theme', 'timeout', 'logLevel'];
const CONFIG_SCHEMA = {
  theme: z.enum(['light', 'dark']),
  timeout: z.number().min(1000).max(300000),
  logLevel: z.enum(['debug', 'info', 'warn', 'error'])
};

.action(async (key: string, value: string) => {
  if (!ALLOWED_CONFIG_KEYS.includes(key)) {
    throw new Error(`Cannot modify config key: ${key}`);
  }

  const schema = CONFIG_SCHEMA[key];
  const parsedValue = JSON.parse(value);
  const validatedValue = schema.parse(parsedValue);

  await configManager.set(key, validatedValue);
});

Priority: MEDIUM

3. Architectural Security Concerns

3.1 Permission System Complexity

Location: src/permissions/permission-manager.ts Severity: LOW Status: Well-designed but complex

Analysis: The 4-level permission system (USER → PROJECT → LOCAL → SESSION) is well-implemented with:

• ✅ Caching with TTL
• ✅ Fallback chain
• ✅ Pattern matching with wildcards
• ✅ Priority-based rule resolution

Concerns:

1. Complexity increases attack surface
2. No audit logging for permission changes
3. Cache poisoning could bypass security checks
4. bypassPermissions mode is risky

Recommendation:

1. Add comprehensive audit logging
2. Implement permission change notifications
3. Add integrity checks on cached permissions
4. Require multi-factor authentication for bypassPermissions mode

Priority: LOW

3.2 MCP Authentication Weaknesses

Location: src/mcp/auth.ts Severity: MEDIUM

Issues:

1. Weak token generation (Line 375-385):

private createSecureToken(): string {
  const timestamp = Date.now().toString(36);
  const random1 = Math.random().toString(36).substring(2, 15);
  const random2 = Math.random().toString(36).substring(2, 15);
  // Math.random() is NOT cryptographically secure

Fix:

import { randomBytes } from 'crypto';

private createSecureToken(): string {
  return `mcp_${randomBytes(32).toString('hex')}`;
}

2. OAuth not implemented (Line 282-294):

private async authenticateOAuth(credentials: unknown): Promise<AuthResult> {
  // TODO: Implement OAuth authentication
  return { success: false, error: 'OAuth authentication not implemented' };
}

Recommendation:

• Replace Math.random() with crypto.randomBytes()
• Implement OAuth 2.0 with PKCE
• Add rate limiting to prevent brute force

Priority: MEDIUM

4. Security Best Practices Observed ✅

4.1 Good Practices Found

1. Timing-Safe Comparisons ✅

   • src/api/auth-service.ts:591-600 uses timingSafeEqual()
   • src/mcp/auth.ts:363-372 implements timing-safe string comparison
   • Prevents timing attacks on password/token verification

2. Key Redaction System ✅

   • src/utils/key-redactor.ts automatically redacts API keys
   • Comprehensive pattern matching for various secret formats
   • Prevents accidental logging of credentials

3. GitHub CLI Safety Wrapper ✅

   • src/utils/github-cli-safety-wrapper.js validates commands
   • Rate limiting implementation
   • Input sanitization with dangerous pattern detection
   • Timeout handling and process cleanup

4. Parameterized SQL Queries ✅

   • All SQLite queries use prepared statements
   • No string concatenation in SQL
   • Proper escaping and parameter binding

5. Permission Management ✅

   • Hierarchical permission system
   • Granular access control
   • Configurable enforcement levels

5. Recommendations for v3

5.1 Immediate Actions (Before Any Production Use)

1. Fix Critical Vulnerabilities:

   bashCopy

   npm update @anthropic-ai/claude-code@^2.0.31
   npm update @modelcontextprotocol/sdk@^1.24.0
   npm audit fix --force
   

2. Replace Password Hashing:

   • Implement bcrypt/argon2 immediately
   • Add salt generation per user
   • Set minimum bcrypt rounds to 12

3. Remove Default Credentials:

   • Force password change on first login
   • Generate random initial passwords
   • Add security warning banner

4. Fix Command Injection:

   • Remove shell: true from all spawn() calls
   • Implement input sanitization
   • Add command whitelisting

5.2 High Priority (v3.0.0)

1. Input Validation Framework:

   • Implement schema validation with Zod/Joi
   • Centralize input sanitization
   • Add rate limiting to all endpoints

2. Path Traversal Protection:

   • Add path validation utilities
   • Whitelist allowed directories
   • Implement chroot-style restrictions

3. Security Audit Logging:

   • Log all authentication attempts
   • Track permission changes
   • Monitor sensitive operations
   • Implement SIEM integration

4. Secret Management:

   • Use HashiCorp Vault or AWS Secrets Manager
   • Rotate credentials automatically
   • Implement least privilege principle

5.3 Medium Priority (v3.1.0)

1. OAuth Implementation:

   • Complete OAuth 2.0 with PKCE
   • Support SAML/SSO
   • Implement MFA

2. API Security:

   • Add API versioning
   • Implement request signing
   • Add CORS protection
   • Rate limiting per API key

3. Dependency Management:

   • Set up Dependabot/Renovate
   • Automated security scanning in CI/CD
   • Scheduled npm audit runs
   • Lock file verification

5.4 Long-term Improvements (v3.2.0+)

1. Security Testing:

   • Implement fuzzing tests
   • Add penetration testing
   • Set up bug bounty program
   • Regular security audits

2. Compliance:

   • SOC2 compliance preparation
   • GDPR data protection
   • Security documentation
   • Incident response plan

3. Monitoring:

   • Real-time threat detection
   • Anomaly detection
   • Security metrics dashboard
   • Automated alerting

6. Security Checklist for v3

Authentication & Authorization

• Replace SHA-256 with bcrypt/argon2
• Remove hardcoded credentials
• Implement password strength requirements
• Add account lockout after failed attempts
• Implement session management
• Add MFA support
• Complete OAuth implementation
• Add API key rotation

Input Validation

• Implement schema validation
• Add input sanitization
• Fix command injection risks
• Add path traversal protection
• Validate file uploads
• Sanitize user-generated content

Dependency Security

• Update vulnerable dependencies
• Set up automated scanning
• Implement SCA in CI/CD
• Lock dependency versions
• Review transitive dependencies

Data Protection

• Encrypt sensitive data at rest
• Use TLS for all network traffic
• Implement secure session storage
• Add data retention policies
• Implement secure deletion

Logging & Monitoring

• Add comprehensive audit logs
• Implement security event monitoring
• Set up alerting
• Add log integrity checking
• Sanitize logs (no secrets)

Infrastructure Security

• Implement least privilege
• Add network segmentation
• Use secure defaults
• Implement defense in depth
• Add container security scanning

7. Vulnerability Summary

Dependency Vulnerabilities

• Total: 13 vulnerabilities
• Critical: 0
• High: 7 (requires immediate update)
• Moderate: 3
• Low: 3

8. Testing Recommendations

Security Test Suite

# 1. Dependency scanning
npm audit
npm audit fix

# 2. Static analysis
npm run lint
eslint --plugin security src/

# 3. Secret scanning
git-secrets --scan
truffleHog --regex --entropy=False .

# 4. Container scanning (if using Docker)
trivy image claude-flow:latest

# 5. Dynamic testing
npm run test:security

Recommended Security Tools

1. SAST: SonarQube, Semgrep, CodeQL
2. DAST: OWASP ZAP, Burp Suite
3. SCA: Snyk, WhiteSource, Dependabot
4. Secret Scanning: git-secrets, truffleHog, GitGuardian
5. Container: Trivy, Clair, Anchore

9. Conclusion

The Claude-Flow codebase shows strong security foundations in some areas (timing-safe comparisons, key redaction, permission management) but has critical vulnerabilities that must be addressed before production use:

Critical Issues:

1. Weak password hashing (SHA-256 instead of bcrypt)
2. Hardcoded default credentials
3. High-severity dependency vulnerabilities

High-Priority Issues:

1. Command injection risks
2. Path traversal vulnerabilities
3. Insufficient input validation

Positive Findings:

1. Good use of parameterized SQL queries
2. Timing-safe comparisons implemented
3. Key redaction system in place
4. GitHub CLI safety wrapper

Overall Risk Assessment

Current State: ❌ NOT PRODUCTION READY After Critical Fixes: ⚠️ REQUIRES ADDITIONAL HARDENING After All High-Priority Fixes: ✅ READY FOR PRODUCTION (with ongoing monitoring)

Timeline Recommendation

• Week 1: Fix critical vulnerabilities (passwords, credentials, dependencies)
• Week 2-3: Address high-priority issues (injection, path traversal)
• Week 4-6: Implement v3 security improvements
• Ongoing: Security monitoring, dependency updates, regular audits

10. Contact & Support

For security vulnerabilities, please contact:

• Security Team: [email protected]
• GitHub Security Advisories: https://github.com/ruvnet/claude-code-flow/security/advisories

Report Format:

1. Description of vulnerability
2. Steps to reproduce
3. Impact assessment
4. Suggested remediation

Document Version: 1.0 Last Updated: 2026-01-03 Next Review: After critical fixes implementation