Skip to content

Security: fazer-ai/moltbot

Security

SECURITY.md

Security Policy

If you believe you've found a security issue in Moltbot, please report it privately.

Reporting

  • Email: steipete@gmail.com
  • What to include: reproduction steps, impact assessment, and (if possible) a minimal PoC.

Operational Guidance

For threat model + hardening guidance (including moltbot security audit --deep and --fix), see:

  • https://docs.molt.bot/gateway/security

Web Interface Safety

Moltbot's web interface is intended for local use only. Do not bind it to the public internet; it is not hardened for public exposure.

Runtime Requirements

Node.js Version

Moltbot requires Node.js 22.12.0 or later (LTS). This version includes important security patches:

  • CVE-2025-59466: async_hooks DoS vulnerability
  • CVE-2026-21636: Permission model bypass vulnerability

Verify your Node.js version:

node --version  # Should be v22.12.0 or later

Docker Security

When running Moltbot in Docker:

  1. The official image runs as a non-root user (node) for reduced attack surface
  2. Use --read-only flag when possible for additional filesystem protection
  3. Limit container capabilities with --cap-drop=ALL

Example secure Docker run:

docker run --read-only --cap-drop=ALL \
  -v moltbot-data:/app/data \
  moltbot/moltbot:latest

Security Scanning

This project uses detect-secrets for automated secret detection in CI/CD. See .detect-secrets.cfg for configuration and .secrets.baseline for the baseline.

Run locally:

pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline

There aren’t any published security advisories