# Trpc (TypeScript) Security

Security vulnerabilities and detection rules for trpc framework. 5 rules across 4 CWE categories.

- Total rules: 5
- CWE categories: 4
- Critical rules: 1

## CWEs

- **CWE-20**: Improper Input Validation
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-285**: Improper Authorization
- **CWE-704**: Incorrect Type Conversion or Cast

## Rules

- **tRPC Unsafe Context Usage** [HIGH]: Using unvalidated headers, cookies, or query params in context creation allows
attackers to bypass authentication and impersonate users.
- **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
- **tRPC Protected Procedure Missing Authentication** [CRITICAL]: Using publicProcedure for mutations or user-specific data allows unauthenticated
access and account manipulation.
- **tRPC Procedure Missing Input Validation** [HIGH]: tRPC procedures without .input() validation accept unvalidated payloads at
runtime, enabling injection and type confusion attacks.
- **tRPC Type Safety Bypass with Any** [MEDIUM]: Using 'any' type in tRPC procedures defeats type safety and allows unvalidated
data to pass through, enabling injection and runtime errors.