The threat
A JavaScript source map (.map) ships your original, unminified source — comments, internal endpoints, logic, sometimes secrets — to anyone who can fetch it or open a published package. Apple’s App Store front-end and Anthropic’s Claude Code both leaked their entire source this way.
How Stateward catches it
Stateward’s source-map detector flags it in the pull request, before it ever ships: a committed *.map artifact, a stray //# sourceMappingURL= in a shipped bundle, and build configs that emit production maps across Vite, webpack, Next.js, Create React App, Vue and Rollup. It skips disabled maps and .d.ts.map files, so it doesn’t cry wolf.
Source-map exposure detectorCWE-540CWE-200
It happened for real
Anthropic Claude Code source-map leakA missing .npmignore rule shipped a ~59.8 MB source map — about 512,000 lines of unobfuscated TypeScript across ~1,900 files — inside a published npm package. A bundler bug kept emitting maps even when disabled, and nothing stripped them before publish.Would Stateward have caught the Claude Code source leak? →Apple App Store source-map leakApple shipped a new App Store web build with source maps still enabled in production. A researcher downloaded the .map files and reconstructed the full front-end source; Apple issued DMCA takedowns and GitHub removed thousands of forks.Would Stateward have caught Apple’s App Store source leak? →
Recent advisories of this class
- mediumAPPSEC-SOURCEMAP-DISCLOSUREA source map (.map) is a build artifact that maps minified bundle code back to the original source, and bundlers embed the full original code in its sourcesContent field. Left reachable in production or shipped inside a package, it hands anyone the unminified codebase, internal comments, hidden API endpoints, auth logic, and any secrets that were compiled in. Discovery is trivial: open DevTools and read the Sources tab, request the bundle's .map URL directly, or Google-dork for ext:map intext:webpack, then reconstruct the whole project with a tool like unwebpack-sourcemap. Passive scanners such as Acunetix and Burp already flag it as a standalone finding. It is usually rated medium on its own but escalates fast when the recovered source contains live credentials or undocumented endpoints; exposed Webpack source maps have leaked hardcoded Stripe secret keys that enabled unauthorized payments. High-profile cases include Apple's App Store web front-end in November 2025, shipped with source maps still enabled, and Anthropic's Claude Code, whose entire TypeScript source leaked via a source map left in a published npm package in March 2026.
- highAPPSEC-GRAPHQL-ABUSEGraphQL servers expose three abuse primitives stemming from the query language's flexibility. Leaving introspection enabled lets any client send a __schema query and recover the entire type system, including internal admin mutations and deprecated fields, providing a map of the attack surface (OWASP API8/API2). Because per-request rate limiters count one HTTP request regardless of operations inside it, an attacker can use field aliasing (e.g. attempt0:login(...), attempt1:login(...)) or array batching to pack dozens of login or verifyOtp mutations into a single request, brute-forcing credentials or short OTP/2FA codes while the rate limiter sees only one request; this aliasing-bypass technique is reproduced in the PortSwigger Web Security Academy 'Bypassing GraphQL brute force protections' lab and Wallarm's GraphQL batching research. Deeply nested or recursive queries cause an exponential explosion of resolver and database calls, exhausting CPU, memory and connection pools for denial of service, the core of OWASP API4:2023 Unrestricted Resource Consumption. HackerOne has disclosed a real GraphQL authentication-bypass finding, and Apollo Server v4 disabled array batching by default in response to these attacks.
- highAPPSEC-RACE-TOCTOUA business-logic race condition exploits the brief window between a check on shared state and the act that mutates it (time-of-check to time-of-use), letting concurrent requests each pass the same check before any of them commits, so a limited resource is consumed more times than allowed (OWASP API6:2023, Unrestricted Access to Sensitive Business Flows). The vulnerable code is any check-then-act sequence on shared state without atomic database-level locking: validate a single-use coupon or gift card then redeem it, check a balance then withdraw or transfer, or verify a one-per-user limit then grant. Firing many near-simultaneous requests collapses the state machine and redeems one coupon multiple times, withdraws the same balance twice, or bypasses a per-user cap. James Kettle's 'Smashing the state machine: the true potential of web race conditions' (PortSwigger, published 9 August 2023, presented at Black Hat USA and DEF CON 31) introduced the single-packet attack, which withholds the final HTTP/2 frames of 20-30 requests and releases them in one TCP packet, neutralizing network jitter and squeezing arrivals into a sub-millisecond window so the race becomes reliably exploitable.
- criticalAPPSEC-NOAUTH-2023nOAuth, disclosed by Descope's security team on June 20, 2023 (reported to Microsoft on April 11, 2023), is a cross-tenant account-takeover class in multi-tenant Microsoft Entra ID (Azure AD) OAuth applications, mapping to OWASP API2:2023 Broken Authentication. The flaw existed because Entra ID emitted an 'email' claim in the OIDC token that was both mutable and unverified, while applications used that email rather than the immutable 'sub'/'oid' claim to identify and link the signed-in user. An attacker who controlled their own Entra tenant could set the email attribute of an attacker account to a victim's email address, then use 'Log in with Microsoft' against any vulnerable app; the app merged accounts by the spoofed email and granted full control of the victim's account, requiring no interaction from the victim. Descope confirmed real exposure in major SaaS apps including a design platform with millions of monthly users. Microsoft mitigated by no longer emitting unverified email claims by default for app registrations created after June 2023 and added the xms_edov claim and a RemoveUnverifiedEmailClaim flag.
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.