# humand-web — Client-side encrypt-storage key exposed in committed env and bundle
STATUS: DRAFT
program: humand-web | platform: huntr | repo: HumandDev/humand-web | commit: 2026-02-13-scan

````
Repository URL: https://github.com/HumandDev/humand-web
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-web — Client-side encrypt-storage key exposed in committed env and bundle
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest frontend build (observed in 2026-02-13 scan)
Vulnerability Type: Use of Hard-coded Cryptographic Key
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Unchanged
  Confidentiality: Medium
  Integrity: None
  Availability: None
Title: VITE_ENCRYPT_STORAGE key is committed and exposed to all clients
```

### Description

# Description

The app uses an encrypt-storage wrapper for token/session values but the encryption key is defined as `VITE_ENCRYPT_STORAGE` in frontend environment files.

`VITE_` variables are intentionally embedded into client bundles during build, so the key is public to every user.

Observed values:

- `.env: VITE_ENCRYPT_STORAGE=HUMAND_DEV__...`
- `.env.production: VITE_ENCRYPT_STORAGE=HUMAND_PRD__...`

This defeats secrecy assumptions of client-side encrypted local storage; any script running in-browser (XSS, malicious extension, compromised dependency) can decrypt stored values using the same key.

# Proof of Concept

1. Retrieve compiled frontend bundle or source env files.
2. Extract `VITE_ENCRYPT_STORAGE` value.
3. Use app's encrypt-storage routine/library with extracted key to decrypt stored token blobs from localStorage.

### Impact

Client-side storage obfuscation provides little security value once key is public. In compromise scenarios (e.g., XSS), attacker effort to recover plaintext tokens/session artifacts is significantly reduced.

### Occurrences

```
Permalink: <private-repo>/.env#L27
Description: Development encrypt-storage key committed to repository

Permalink: <private-repo>/.env.production#L27
Description: Production encrypt-storage key committed to repository and shipped to clients
```

### References

```
URL: https://cwe.mitre.org/data/definitions/321.html
Name: CWE-321: Use of Hard-coded Cryptographic Key

URL: https://vitejs.dev/guide/env-and-mode.html
Name: Vite env vars (VITE_* exposed to client bundle)
```
````