invocation request, the unsanitized parameter is concatenated onto the targeted URL. This introduces the risk of attackers passing HTTP parameters into the method parameter, which are then appended to secrets of statestore components can be received from Dapr via the getSecrets API. This introduces the risk of attackers extracting passwords and sensitive secrets to authenticate at statestore components, handlers of topic routes which are out-of-scope for the publishing Dapr sidecar. This highlights the risk of attackers bypassing the PubSub component entirely, invoking the event routes for topics which are

consider the supply-chain risk to be an area where Dapr faces a security risk, and in this section we recommend that Dapr adds Scorecard to their dependencies to mitigate this risk. During the manual auditing audit 2023 This type of risk applies to all open source projects that use other open source packages in their dependency trees. The Scorecard project11 aims to mitigate that risk by formalizing a set of

classified as a security vulnerability. This problem, however, was given a High score in terms of risk because it enables an access policy bypass caused by faulty URL normalization. This issue has been recommended to apply URL normalization and employ case-insensitive comparison in order to eliminate the risk of potential access control list bypasses. Fix note: This issue was reported to the Dapr maintainers