unslothai/unsloth

Scanned on Jun 18, 2026

Risk score/ 100

High risk

Summary

The repository contains critical quantum-vulnerable cryptographic implementations in production key exchange infrastructure. RSA-2048 keys are actively used in the backend inference layer for secure communications, making this system vulnerable to future quantum attacks and non-compliant with emerging post-quantum standards. Immediate migration to NIST-approved post-quantum key encapsulation mechanisms is required.

Critical

High

Medium

Low

Top findings

CriticalRSA key ≤ 2048 bits
studio/backend/core/inference/key_exchange.py:36
Raw evidence
```
"""Generate an RSA-2048 key pair. Called once at server startup."""
```
CriticalRSA key ≤ 2048 bits
studio/backend/core/inference/key_exchange.py:48
Raw evidence
```
key_size = 2048,
```

HighDSA

scripts/scan_packages.py:153

ML-DSA (CRYSTALS-Dilithium)

Raw evidence

r"-----BEGIN\s+(?:RSA\s+)?(?:PUBLIC|PRIVATE|ENCRYPTED|EC|DSA|OPENSSH)\s+KEY-----"

HighRSA
studio/backend/core/inference/key_exchange.py:25
ML-KEM (CRYSTALS-Kyber) for key encapsulation
Raw evidence
```
_private_key: rsa.RSAPrivateKey | None = None
```
LowSHA-256 used as password KDF
studio/backend/auth/hashing.py:16
Argon2id or bcrypt
Raw evidence
```
Hash a password using PBKDF2-HMAC-SHA256.
```

Scan your own repository

Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.

Start a free scan