Privacy
No user data collected. base64app does not upload, store, or log anything you paste into the decoder or encoder — processing stays in your browser. Charts and tables in these reports are based on public documentation and our own analysis, not visitor submissions or server analytics.
Key findings
- Critical: Treating base64 as encryption — it provides zero confidentiality.
- High: Decoding untrusted base64 without size limits enables memory exhaustion (multi-MB JSON fields).
- High: Skipping signature verification on JWTs while only decoding the payload segment.
- Medium: Serving user-supplied decoded SVG/PDF without sanitization or CSP.
- Medium: Logging decoded secrets that were base64-wrapped, not encrypted.