# humand-web — Refresh tokens exposed in URL path parameters
STATUS: DRAFT
program: humand-web | platform: huntr | repo: HumandDev/humand-web | commit: 2026-02-13-scan

````
Repository URL: https://github.com/HumandDev/humand-web
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-web — Refresh tokens exposed in URL path parameters
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest frontend build (observed in 2026-02-13 scan)
Vulnerability Type: Use of GET Request Method With Sensitive Query Strings
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: Required
  Scope: Unchanged
  Confidentiality: High
  Integrity: High
  Availability: None
Title: Long-lived refresh tokens are passed in URL routes for mobile flows
```

### Description

# Description

The application defines routes that accept `:refreshToken` in the URL path for mobile features:

- `/documents-lacomer-mobile/:refreshToken`
- `/requests-banbajio-mobile/:refreshToken`

Placing refresh tokens in URLs causes token leakage through standard browser and infrastructure behavior:

- browser history/sync
- reverse proxy and server logs
- analytics/tracking tooling
- referrer propagation to third-party resources

Refresh tokens are long-lived session credentials; disclosure enables durable account takeover until revocation.

# Proof of Concept

1. Open one vulnerable route with a real refresh token in the path:
   `/documents-lacomer-mobile/<refresh_token_value>`.
2. Inspect browser history and network logs.
3. Observe token value persisted in full URL.
4. Use leaked token in refresh endpoint flow to mint new access tokens.

### Impact

Anyone obtaining a leaked refresh token can continuously generate valid access tokens and impersonate the victim account. This affects confidentiality/integrity of user data and actions and may bypass password changes until refresh revocation.

### Occurrences

```
Permalink: <private-repo>/src/routes.tsx#L2505
Description: Route embeds refresh token directly in path for documents mobile flow

Permalink: <private-repo>/src/routes.tsx#L2514
Description: Route embeds refresh token directly in path for requests mobile flow
```

### References

```
URL: https://cwe.mitre.org/data/definitions/598.html
Name: CWE-598: Information Exposure Through Query Strings in GET Request (URL exposure class)

URL: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
Name: OWASP - Information exposure through URL
```
````