Trail of Bits
Audit Open Original ↗

Zoo KittyCAD

Type

Security review

Client

Zoo

Date

2024-06

Domain

AppSec

Effort

4.6 wks

Section

Technology Product Reviews

Trail of Bits's security review of Zoo (Jun 2024) identified 14 issues: 1 high, 3 medium, 6 low, and 4 informational.

Findings · 14

  1. 1 Risk of Rust panic due to division by zero Informational
  2. 2 Assertion on a positive FoV setting causes the engine to abort on zero- or negative-value settings Low
  3. 3 Engine aborts when rendering zero-area videos Low
  4. 4 Rendering videos with a low height and width divisible by 4 causes segmentation fault Low
  5. 5 UDP firewall can be circumvented through TURN WebRTC server Low
  6. 6 GitHub App webhook panics if non-ASCII characters are sent in headers Informational
  7. 7 Infinite WebSocket authentication retry attempts Low
  8. 8 Missing rate limiting for authentication email endpoint Low
  9. 9 Insufficient validation for callback URLs in authentication email endpoint Medium
  10. 10 CORS configuration allows malicious cross-origin requests Medium
  11. 11 Cookie allows authentication on malicious origins High
  12. 12 Plaintext secrets in the infrastructure repository Medium
  13. 13 Personal email in source code Informational
  14. 14 Unsafe code wrapped in safe API Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related