VYPR
researchPublished Jul 1, 2026· 1 source

PhonePe Releases Nika, an Open-Source Tool for Detecting Complex Java Microservice Vulnerabilities

Payments company PhonePe has open-sourced Nika, a Java microservice security tool that uses cross-file taint analysis to uncover complex vulnerabilities missed by single-file scanners.

Payments company PhonePe has released Nika, an open-source tool designed to enhance the security of Java microservices by identifying complex vulnerabilities that often evade traditional single-file analysis methods. The tool addresses a critical gap in code security by tracing data flow across multiple files and application layers, a common characteristic of sophisticated exploits.

Many critical security flaws in web applications are not confined to a single file. Instead, they emerge from a sequence of events: attacker-controlled input enters through an entry point, traverses various data objects and service layers, and only becomes dangerous when it reaches a sensitive operation, known as a sink. Standard scanners that examine code file by file can easily miss these multi-file attack paths. Nika's core innovation lies in its ability to perform cross-file taint analysis, meticulously tracing potentially malicious input from its origin to its destination.

The analysis process begins with Nika reading the target repository and constructing an internal representation of the code's structure, control flow, and data flow. It then identifies the 'sources' where untrusted input enters the application and the 'sinks' where security-sensitive operations occur. These sinks can include database queries, file operations, template engines, reflection calls, or outbound network requests. By analyzing the connections between these sources and sinks across different files and functions, Nika determines if a vulnerable path is practically reachable by an attacker.

Nika is equipped to detect eleven distinct categories of vulnerabilities. These include common but dangerous flaws such as SQL injection, server-side request forgery (SSRF), path traversal, command injection, code injection, and template injection. It also identifies more complex issues like deserialization flaws, XML external entity (XXE) vulnerabilities, cryptographic failures, and unsafe reflection usage. Furthermore, the tool can detect security-critical call-order violations within sensitive execution flows and validation chains, adding another layer of security assurance.

To further refine its findings and reduce false positives, Nika offers an optional AI review step. After the static analysis completes, its findings can be passed to an AI agent for a secondary assessment. This feature is disabled by default and can be configured to point to a hosted large language model, with adjustable parameters for token cost and iteration counts. This optional AI pass allows teams to leverage the static engine independently or augment it when triage time is limited.

The tool is specifically tailored for secure code review workflows. Its branch-aware scanning capability enables reviewers to focus Nika's analysis on specific code changes under review. The generated HTML report clearly illustrates the source-to-sink path, highlighting the exact lines of code involved. The report also includes remediation context, providing developers with a starting point for fixing identified vulnerabilities.

To validate its effectiveness, the Nika team benchmarked the tool against the OWASP Java Benchmark project, a dataset containing intentionally vulnerable code. This benchmarking process measured Nika's performance based on metrics like true positives, false positives, and recall – the proportion of existing vulnerabilities the tool successfully identified. While Java is the sole supported language currently, support for additional languages is planned for future releases. Nika is available as a Docker image or a local build, with comprehensive documentation hosted on its project site and the code freely accessible on GitHub.

Synthesized by Vypr AI