#	Finding	Severity
002	Duration conversion panics on oversized cache metadata	Medium
003	Age conversion panics on oversized cache metadata	Medium
004	get_body leaks a spawned stream when rejecting a second reader	Medium
006	Full-body read lacks a decoded size cap	Medium

KV and object store handles

#	Finding	Severity
008	Invalid pending-operation handles panic on await	Medium
010	Invalid store handle panics KV hostcalls	High
011	lookup_wait exposes partial state on buffer error	Medium
017	Invalid store handle panics host lookup paths	High
018	Invalid store handle panics host insert paths	High
019	Invalid store handle panics host delete path	High

Object store concurrency

#	Finding	Severity
012	Insert preconditions race concurrent writers	High
013	Append and prepend lose concurrent updates	High

HTTP and networking

#	Finding	Severity
014	Invalid pending request handle panics await_response	High
015	get_header_values panics on invalid request handle	Medium
016	Host header overrides backend authority	Medium
020	Invalid response handle traps in header value lookup	Medium
021	Remote IP lookup unwraps untrusted response handle	Medium
022	Remote port lookup unwraps untrusted response handle	Medium
023	Backend route ID accepted without backend validation	Medium

Body and streaming

#	Finding	Severity
024	Known-size tee panics on body read error	Medium

Header parsing

#	Finding	Severity
033	Missing trailing NUL drops last header value	Medium
034	Empty values buffer silently clears headers	Medium

Configuration parsing

#	Finding	Severity
026	Empty TOML client certificate chains bypass validation	Medium
028	Multiple PEM private keys are silently accepted	Medium
030	Missing env secret becomes empty bytes	Medium

Shielding

#	Finding	Severity
029	Oversized shielding backend persists after length error	Medium

Wasm module rewriting

#	Finding	Severity
039	Valid multi-memory modules panic during rewrite	Medium
040	Large memarg offset overflow panics during rewrite	Medium
041	Supported Wasm instructions hit todo panic	Medium

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

Viceroy Audit Findings

Summary

Findings

Trap and error reporting

Cache hostcalls

KV and object store handles

Object store concurrency

HTTP and networking

Body and streaming

Header parsing

Configuration parsing

Shielding

Wasm module rewriting

Name		Name	Last commit message	Last commit date
parent directory ..
pocs		pocs
001-trap-details-returned-in-http-500-body.md		001-trap-details-returned-in-http-500-body.md
001-trap-details-returned-in-http-500-body.patch		001-trap-details-returned-in-http-500-body.patch
002-duration-conversion-can-panic-on-large-cache-metadata.md		002-duration-conversion-can-panic-on-large-cache-metadata.md
002-duration-conversion-can-panic-on-large-cache-metadata.patch		002-duration-conversion-can-panic-on-large-cache-metadata.patch
003-age-conversion-can-panic-on-large-cache-metadata.md		003-age-conversion-can-panic-on-large-cache-metadata.md
003-age-conversion-can-panic-on-large-cache-metadata.patch		003-age-conversion-can-panic-on-large-cache-metadata.patch
004-get-body-leaks-a-spawned-body-stream-on-single-reader-reject.md		004-get-body-leaks-a-spawned-body-stream-on-single-reader-reject.md
004-get-body-leaks-a-spawned-body-stream-on-single-reader-reject.patch		004-get-body-leaks-a-spawned-body-stream-on-single-reader-reject.patch
006-full-body-read-has-no-decompressed-size-limit.md		006-full-body-read-has-no-decompressed-size-limit.md
006-full-body-read-has-no-decompressed-size-limit.patch		006-full-body-read-has-no-decompressed-size-limit.patch
008-invalid-pending-operation-handles-panic-on-await.md		008-invalid-pending-operation-handles-panic-on-await.md
008-invalid-pending-operation-handles-panic-on-await.patch		008-invalid-pending-operation-handles-panic-on-await.patch
010-invalid-store-handle-can-panic-hostcall.md		010-invalid-store-handle-can-panic-hostcall.md
010-invalid-store-handle-can-panic-hostcall.patch		010-invalid-store-handle-can-panic-hostcall.patch
011-lookup-wait-exposes-partial-state-on-buffer-error.md		011-lookup-wait-exposes-partial-state-on-buffer-error.md
011-lookup-wait-exposes-partial-state-on-buffer-error.patch		011-lookup-wait-exposes-partial-state-on-buffer-error.patch
012-insert-preconditions-race-concurrent-writers.md		012-insert-preconditions-race-concurrent-writers.md
012-insert-preconditions-race-concurrent-writers.patch		012-insert-preconditions-race-concurrent-writers.patch
013-append-and-prepend-lose-concurrent-updates.md		013-append-and-prepend-lose-concurrent-updates.md
013-append-and-prepend-lose-concurrent-updates.patch		013-append-and-prepend-lose-concurrent-updates.patch
014-invalid-pending-request-handle-panics-await-response.md		014-invalid-pending-request-handle-panics-await-response.md
014-invalid-pending-request-handle-panics-await-response.patch		014-invalid-pending-request-handle-panics-await-response.patch
015-get-header-values-panics-on-invalid-request-handle.md		015-get-header-values-panics-on-invalid-request-handle.md
015-get-header-values-panics-on-invalid-request-handle.patch		015-get-header-values-panics-on-invalid-request-handle.patch
016-host-header-controls-backend-request-authority.md		016-host-header-controls-backend-request-authority.md
016-host-header-controls-backend-request-authority.patch		016-host-header-controls-backend-request-authority.patch
017-invalid-store-handle-panics-host-lookup-paths.md		017-invalid-store-handle-panics-host-lookup-paths.md
017-invalid-store-handle-panics-host-lookup-paths.patch		017-invalid-store-handle-panics-host-lookup-paths.patch
018-invalid-store-handle-panics-host-insert-paths.md		018-invalid-store-handle-panics-host-insert-paths.md
018-invalid-store-handle-panics-host-insert-paths.patch		018-invalid-store-handle-panics-host-insert-paths.patch
019-invalid-store-handle-panics-host-delete-path.md		019-invalid-store-handle-panics-host-delete-path.md
019-invalid-store-handle-panics-host-delete-path.patch		019-invalid-store-handle-panics-host-delete-path.patch
020-invalid-response-handle-traps-in-header-value-lookup.md		020-invalid-response-handle-traps-in-header-value-lookup.md
020-invalid-response-handle-traps-in-header-value-lookup.patch		020-invalid-response-handle-traps-in-header-value-lookup.patch
021-remote-ip-lookup-unwraps-untrusted-response-handle.md		021-remote-ip-lookup-unwraps-untrusted-response-handle.md
021-remote-ip-lookup-unwraps-untrusted-response-handle.patch		021-remote-ip-lookup-unwraps-untrusted-response-handle.patch
022-remote-port-lookup-unwraps-untrusted-response-handle.md		022-remote-port-lookup-unwraps-untrusted-response-handle.md
022-remote-port-lookup-unwraps-untrusted-response-handle.patch		022-remote-port-lookup-unwraps-untrusted-response-handle.patch
023-backend-name-injected-into-routing-header.md		023-backend-name-injected-into-routing-header.md
023-backend-name-injected-into-routing-header.patch		023-backend-name-injected-into-routing-header.patch
024-known-size-tee-panics-on-body-read-error.md		024-known-size-tee-panics-on-body-read-error.md
024-known-size-tee-panics-on-body-read-error.patch		024-known-size-tee-panics-on-body-read-error.patch
026-empty-certificate-list-accepted-from-toml-sources.md		026-empty-certificate-list-accepted-from-toml-sources.md
026-empty-certificate-list-accepted-from-toml-sources.patch		026-empty-certificate-list-accepted-from-toml-sources.patch
028-multiple-keys-in-file-or-inline-key-input-are-silently-accep.md		028-multiple-keys-in-file-or-inline-key-input-are-silently-accep.md
028-multiple-keys-in-file-or-inline-key-input-are-silently-accep.patch		028-multiple-keys-in-file-or-inline-key-input-are-silently-accep.patch
029-oversized-shielding-backend-persists-after-length-error.md		029-oversized-shielding-backend-persists-after-length-error.md
029-oversized-shielding-backend-persists-after-length-error.patch		029-oversized-shielding-backend-persists-after-length-error.patch
030-missing-env-secret-becomes-empty-bytes.md		030-missing-env-secret-becomes-empty-bytes.md
030-missing-env-secret-becomes-empty-bytes.patch		030-missing-env-secret-becomes-empty-bytes.patch
033-missing-trailing-nul-drops-last-header-value.md		033-missing-trailing-nul-drops-last-header-value.md
033-missing-trailing-nul-drops-last-header-value.patch		033-missing-trailing-nul-drops-last-header-value.patch
034-empty-values-buffer-clears-headers-silently.md		034-empty-values-buffer-clears-headers-silently.md
034-empty-values-buffer-clears-headers-silently.patch		034-empty-values-buffer-clears-headers-silently.patch
039-valid-multi-memory-modules-panic-during-rewrite.md		039-valid-multi-memory-modules-panic-during-rewrite.md
039-valid-multi-memory-modules-panic-during-rewrite.patch		039-valid-multi-memory-modules-panic-during-rewrite.patch
040-large-memory-offsets-panic-on-checked-addition.md		040-large-memory-offsets-panic-on-checked-addition.md
040-large-memory-offsets-panic-on-checked-addition.patch		040-large-memory-offsets-panic-on-checked-addition.patch
041-supported-wasm-instructions-hit-todo-panic.md		041-supported-wasm-instructions-hit-todo-panic.md
041-supported-wasm-instructions-hit-todo-panic.patch		041-supported-wasm-instructions-hit-todo-panic.patch
README.md		README.md

FilesExpand file tree

viceroy

Directory actions

More options

Directory actions

More options

Latest commit

History

viceroy

Folders and files

parent directory

README.md

Viceroy Audit Findings

Summary

Findings

Trap and error reporting

Cache hostcalls

KV and object store handles

Object store concurrency

HTTP and networking

Body and streaming

Header parsing

Configuration parsing

Shielding

Wasm module rewriting