gitsafehub
github.com/airbnb/lottie-ios ↗

airbnb/lottie-ios

scanned 2026-07-01 · git 906e79b
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies13Known OSS vulnerabilities13Risky code patternsMalicious dependenciesProject health7

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 120s

Vulnerable dependencies — Trivy 13 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-54906 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Synchronization flaw in ReadWriteLock allows unauthorized lock release and denial of service
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54906). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via large scientific notation strings
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33176). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33169 rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33169). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33170 Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33170). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-35611 addressable: Addressable: Denial of Service via crafted URI templates
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-35611). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54904 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Denial of Service due to infinite loop in AtomicReference#update
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54904). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54905 concurrent-ruby: Concurrent-ruby: Incorrect write lock granting leading to broken mutual exclusion
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54905). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-49761 rexml: REXML ReDoS vulnerability
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-49761). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-35176 REXML: DoS parsing an XML with many `<`s in an attribute value
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-35176). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-39908 rexml: DoS vulnerability in REXML
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-39908). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-41123 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace character, >] and ]>
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-41123). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-41946 rexml: DoS vulnerability in REXML
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-41946). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-43398 rexml: DoS vulnerability in REXML
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-43398). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 13 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-2j26-frm8-cmj9 Rails Active Support has a possible DoS vulnerability in its number helpers
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33176). Fix: Update that package to its patched version.
  • Worth fixing GHSA-89vf-4333-qx8v Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33170). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cg4j-q9v8-6v38 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33169). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templates
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-35611). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h8w8-99g7-qmvj Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2rxp-v6pw-ch6m REXML ReDoS vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-49761). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4xqq-m2hx-25v8 REXML denial of service vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-39908). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5866-49gr-22v4 REXML DoS vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-41946). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r55c-59qm-vjw6 REXML DoS vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-41123). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vg3r-rm7w-2xgh REXML contains a denial of service vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-35176). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vmwr-mc7x-5vc3 REXML denial of service vulnerability
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2024-43398). Fix: Update that package to its patched version.
  • Minor GHSA-6wx8-w4f5-wwcr Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54906). Fix: Update that package to its patched version.
  • Minor GHSA-wv3x-4vxv-whpp Concurrent Ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity
    /workdirs/scan-ffd2181a-5b1c-45ed-aba2-850a87d5062b/Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-54905). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 7 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.