This document explains how to responsibly report security issues found
in the Network-Scanner project itself (Flask backend, React frontend,
Python CLI). It does not describe how to use the tool offensively —
for that, see README.md and docs/.
Project status (2026): This repository received a critical security patch addressing the issues below. The project remains functional and open for security reports; new features are not the priority, but the existing functionality (Flask backend, React frontend, Docker stack, CLI) is preserved.
Fixes applied in the latest security commit:
app.py:debug=True→debug=Falseby default (closes RCE via the Werkzeug debugger PIN). Debug mode is opt-in viaFLASK_ENV=development.app.py:host='0.0.0.0'→host=os.environ.get('HOST', '127.0.0.1')(loopback by default; Docker setsHOST=0.0.0.0explicitly indocker-compose.ymlso the container remains reachable).app.py: SocketIOcors_allowed_origins="*"→ env-var-driven viaCORS_ORIGINS(defaulthttp://localhost:3000).docker-compose.ymlsets it to allow the frontend container.reconnaissance.py: undefinedname→domain_namein_cert_transparency_search. The method was silently broken (theexcept Exceptionswallowed theNameErrorand returned[]). Wildcard certificate entries (*.example.com) are now explicitly skipped.ai_assistant.py: hardcodedgpt-3.5-turbo(4 occurrences) →OPENAI_MODELenv var (defaultgpt-4o-mini, the recommended successor; thegpt-3.5-turbo-0125snapshot is scheduled for shutdown on 2026-10-23).requirements.txt: removedjwt==1.3.1(it conflicts withpyjwt==2.8.0and neither is imported by the codebase).pyjwtis kept as the maintained successor.report_generator.py: hardcoded/workspaces/Network-Scanner/reports→REPORTS_DIRenv var (default<cwd>/reports, which resolves correctly in local dev and inside the Docker container whereWORKDIR=/appand./reportsis bind-mounted to/app/reports).docker-compose.yml: addedHOST=0.0.0.0,REPORTS_DIR=/app/reports, andCORS_ORIGINSto the backend service so the Docker stack keeps working with the new secure defaults.- Removed unused imports:
subprocess,json,threadinginreconnaissance.py;subprocessinscanner.py.Known remaining issues (documented; not all are planned to be fixed):
/api/scan/*and/api/vulnerability/*endpoints have no authentication. Operators exposing the backend publicly MUST put a reverse proxy with authentication in front. The defaulthost='127.0.0.1'(whenHOSTis unset) limits exposure to localhost.scanner.pyusesverify=Falsein 4requests.get()calls (MITM risk for the scanner itself, but necessary because scanned targets may have self-signed certs).- 31 broad
except Exceptioncatches across the codebase hide errors silently (refactor is out of scope for this patch).socket.gethostbyname()calls inreconnaissance.pyhave no timeout (potential DoS via slow DNS, low priority).- Additional unused imports remain in
app.py(json,ScanResult,User,Project),scanner.py(json,re,concurrent.futures),report_generator.py(8 imports), and 4 unusedevars inai_assistant.py. They are not security-relevant and are deferred.Security reports are still welcome and will be triaged.
| Version | Supported | Notes |
|---|---|---|
main |
Security fixes only | Pre-archive; receives the final critical patch |
<1.0 |
Unsupported | No tagged releases exist |
There are no tagged releases. All reports should reference a git commit hash.
DO NOT open a public GitHub issue for security reports.
Email the maintainer privately at frangelrcbarrera@gmail.com with
the subject Network-Scanner security report. Please include:
- Description of the issue and its impact.
- Reproduction steps (request payload, environment, expected vs actual behavior).
- Affected version (git commit hash).
- Suggested fix (optional but appreciated).
You should receive an acknowledgement within 7 days. If confirmed, a fix will be prepared and a coordinated disclosure date agreed. You will be credited in the commit message unless you request otherwise.
- Day 0: Private report received.
- Day 1–7: Maintainer acknowledges and triages.
- Day 7–30: Fix developed. Critical issues (RCE, command injection) are expedited; lower-severity issues may run to the full window.
- Day 30 (or earlier for critical): Fix committed. Public disclosure coordinated with the reporter.
- Post-fix: Repository is archived once the final critical patch
(
debug=True) lands.
The maintainer is an individual working part-time on this project. If the SLA slips, a status update will be sent rather than silence.
In scope:
- Bugs in the Flask backend (
backend/app.py,backend/modules/,backend/models/) that compromise the host running Network-Scanner or its users. - Command injection, SSRF, or path traversal in scan orchestration
(
scanner.py,reconnaissance.py,report_generator.py). - WebSocket/HTTP CORS misconfigurations enabling CSRF or cross-origin
abuse (
flask-socketio,flask-cors). - Dependency conflicts that break authentication or transport security
(
jwtvspyjwtinrequirements.txt). - Docker misconfigurations that escalate privileges or leak secrets
(
Dockerfile.backend,Dockerfile.frontend,docker-compose.yml).
Out of scope:
- "The scanner can scan a host I don't own." Yes — that is its purpose.
Operators are responsible for authorization (see
README.mddisclaimer). - "nmap returns findings the operator didn't expect." That is nmap's behavior, not a bug in this project.
- Reports that the AI assistant (
/api/ai/chat) follows instructions embedded incontext. The assistant passes user-suppliedcontextto OpenAI without sanitization; this is a known limitation (see below), not a novel finding.
Good-faith security research on this repository is welcomed. The maintainer will not pursue legal action against researchers who:
- Test only against locally-owned lab instances of Network-Scanner (not public deployments, which the maintainer does not operate).
- Avoid degrading service for other users (the project has no shared infrastructure).
- Report findings privately per the timeline above before any public disclosure.
- Do not exfiltrate, destroy, or tamper with data that is not their own.
Researchers uncertain about scope should email first — a quick clarification is always preferable to a misstep.
This policy operates within:
- International references: ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling), which the maintainer follows as best practice regardless of jurisdiction.
- USA — Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
- European Union — Directive 2013/40/EU on attacks against information systems.
- United Kingdom — Computer Misuse Act 1990 (CMA).
- Council of Europe — Convention on Cybercrime (Budapest, 2001).
- The repository's MIT License, which disclaims liability and defines permitted use of the code.
Researchers operating from any jurisdiction should respect their local computer-misuse statutes.
This project is a vulnerability scanner that itself carries known security debt. Reporting the items below as novel findings is not useful — they are documented here as part of the pre-archive cleanup.
Critical (fix in progress before archive):
backend/app.py:253—socketio.run(app, ..., debug=True)exposes the Werkzeug debugger on0.0.0.0:5000. The debugger allows unauthenticated remote code execution via crafted tracebacks. This is the trigger for archiving the repository and is being patched todebug=False.
High (will not be fixed before archive — documented as accepted risk):
backend/app.py:19—cors_allowed_origins="*"on the SocketIO server allows any origin to open the scan WebSocket, enabling cross-site WebSocket hijacking of scan commands.backend/modules/scanner.py— user-suppliedtargetreachesnmap.PortScanner().scan()without argument sanitization. A payload such as8.8.8.8 -iL /etc/passwdcauses nmap to read arbitrary files as input lists (argument injection).backend/modules/scanner.py:150,445,474,502—requests(..., verify=False)disables TLS verification on outbound scans, exposing the scanner host to MITM.backend/app.py:20vsbackend/models/scan_results.py:5— twoSQLAlchemy()instances.db.create_all()against the app's instance creates no tables because the models are registered on the bare instance inmodels/. The persistence layer is inert.backend/modules/reconnaissance.py:100—name.endswith(...)wherenameis undefined (should bedomain_name). Certificate transparency parsing raisesNameError.
Medium / Lower (accepted risk):
backend/modules/scanner.py—_check_default_credentials,_check_smtp_relay, and_check_ssh_configreturn canned findings without testing the target. Operators should treat these as placeholders, not verified results.backend/requirements.txt— bothjwt==1.3.1andpyjwt==2.8.0are declared; both export thejwtpackage and conflict at install time.jwt==1.3.1is a dead dependency (0 imports in the codebase). Authentication code, if ever wired in, would be unreliable.backend/app.py:12—SECRET_KEYguard only fires whenFLASK_ENV=productionexplicitly; unset or any other value bypasses the check and keeps the defaultdev-key-change-in-production.backend/modules/ai_assistant.py— user-suppliedcontextis interpolated into the OpenAI prompt without sanitization. Operators should assume the assistant is prompt-injectable.Dockerfile.frontendcopiesnginx.confthat does not exist in the repo;docker-compose.ymlmounts./nginx/which is also absent. The frontend service cannot build as published.Dockerfile.backendruns as non-root butscanner.pyissuesnmap -sS(SYN scan), which requiresCAP_NET_RAW. Thedocker-compose.ymldoes not grant--cap-add NET_RAW, so SYN scans fail at runtime even if the container ran as root.- Hardcoded paths
/workspaces/Network-Scanner/appear inscripts/install.shandbackend/modules/report_generator.pyand will break deployments outside the original devcontainer.
Documentation accuracy: the README.md feature table advertises
multi-user authentication, projects, audit logs, API keys, rate
limiting, learning mode, and a fully functional AI assistant. Of these,
only the AI assistant (OpenAI integration with fallback) is partially
implemented; the rest exist only as SQLAlchemy models without routes.
The README also references CONTRIBUTING.md, backend/requirements-dev.txt,
backend/tests/, and frontend test files — none of which exist in the
repository (35 files tracked via git ls-files). The README overstates
the project's capabilities. This is acknowledged here so that
researchers do not file reports of the form "feature X is missing" —
they are missing by current state, not by accident.
- Maintainer: Frangel Raúl Crespo Barrera
- Email: frangelrcbarrera@gmail.com
- GitHub: frangelbarrera