DocHub
DocHub/WhatsApp CRM/Architecture/Baileys Security Audit
Full source code audit of Baileys v7.0.0-rc.9 — network destinations, phone number handling, credential storage, dependency chain

Verdict

The library is clean. Baileys cannot transfer, port, register, or claim a phone number. All network traffic goes exclusively to WhatsApp-owned servers. No third-party analytics, telemetry, or data exfiltration vectors found.

Network Destinations

All connections go to WhatsApp-owned domains only:

One non-WhatsApp URL exists: raw.githubusercontent.com for an opt-in version check function that our code does NOT call.

No axios, got, node-fetch, or any HTTP client libraries. No Sentry, Datadog, Mixpanel, or analytics SDKs.

Phone Number Handling

  • Numbers exist as JIDs (e.g., +504xxx@s.whatsapp.net)
  • Sent ONLY to WhatsApp servers via encrypted WebSocket
  • Written ONLY to /data/auth/{userId}/creds.json
  • NOT sent to any third-party server, analytics endpoint, or external API

Number Transfer Capability: NONE

Exhaustive search found zero code for:

  • Registering or claiming phone numbers
  • Sending SMS/OTP verification codes
  • Initiating number transfers or account migrations
  • SIM swaps or number porting
  • Account takeover

References to “transfer” and “migrate” in the codebase are all about local Signal Protocol session management and WhatsApp’s internal PN-to-LID identifier transition.

Auth Credentials — Critical Finding

Auth files in /data/auth/ are stored as unencrypted plaintext JSON containing all private keys. Anyone with read access can clone the WhatsApp session.

Recommendations:

  1. chmod 700 /data/auth/ — restrict to service user only
  2. Consider encrypting auth files at rest
  3. Monitor for unauthorized access

Dependency Chain

  • 10 direct dependencies, 64 transitive packages
  • Zero known CVEs (npm audit clean)
  • No malicious install scripts
  • No native modules in Baileys or direct deps
  • libsignal is git-sourced from WhiskeySockets org (pure JS, 2,270 lines)

Full Report

See docs/baileys-security-audit.md in the repo for the complete audit with file paths, line numbers, and detailed findings.