# NewtArr Security Audit **Audit Date:** 2026-02-24 **Codebase:** NewtArr (fork of Huntarr v6.6.3) **Audited By:** Automated analysis (Claude) **Scope:** Full codebase — backend Python, frontend JavaScript/HTML, configuration, and deployment > **Context:** This audit was performed on the v6.6.3 codebase inherited from the upstream Huntarr project. > These findings represent **pre-existing issues** in the original code. NewtArr is designed to run behind > an SSO proxy (e.g., Authelia, Authentik) in ElfHosted deployments, which mitigates many of the > authentication-related findings. Standalone users should review these findings carefully. --- ## Summary | Severity | Backend | Frontend | Config/Deploy | Total | |:---------|:-------:|:--------:|:-------------:|:-----:| | CRITICAL | 2 | 3 | 0 | **5** | | HIGH | 6 | 4 | 4 | **14** | | MEDIUM | 9 | 9 | 8 | **26** | | LOW | 5 | 4 | 6 | **15** | | INFO | 7 | 5 | 6 | **18** | > Note: Some config/deployment findings overlap with backend findings (they reference the same underlying code). --- ## CRITICAL Findings ### C1: Hardcoded Flask Secret Key - **File:** `src/primary/web_server.py:120` - **Code:** `app.secret_key = os.environ.get('SECRET_KEY', 'dev_key_for_sessions')` - **Impact:** If the `SECRET_KEY` environment variable is not set, Flask sessions use a hardcoded default. An attacker who knows this key can forge session cookies and bypass authentication entirely. - **Mitigation:** Set the `SECRET_KEY` environment variable to a cryptographically random value in production. The Docker Compose example should include this. Consider generating a random key at first startup if none is provided. ### C2: Weak Password Hashing (SHA-256) - **File:** `src/primary/auth.py:77-86` - **Code:** Uses `hashlib.sha256((password + salt).encode()).hexdigest()` - **Impact:** SHA-256 is a fast hash, making stored passwords vulnerable to brute-force and rainbow table attacks. Industry standard is bcrypt, scrypt, or argon2 with adaptive work factors. - **Mitigation:** Replace with `bcrypt` or `argon2`. This is less critical when running behind SSO (authentication is handled upstream), but matters for standalone deployments. ### C3: XSS via innerHTML in Log Messages - **File:** `frontend/static/js/new-main.js:893-903` - **Code:** Log messages from the backend are inserted into the DOM using `innerHTML` without sanitization. - **Impact:** If an attacker can influence log content (e.g., via crafted media titles in *arr apps), they could inject arbitrary JavaScript that executes in the context of the NewtArr UI. - **Mitigation:** Use `textContent` instead of `innerHTML`, or sanitize with DOMPurify before insertion. ### C4: XSS via innerHTML in Swaparr Download Names - **File:** `frontend/static/js/apps/swaparr.js:268-284` - **Code:** Download names from external sources are rendered via `innerHTML` without sanitization. - **Impact:** Crafted download names containing `