From c29c77feff758cb2c8509de2ad280c5195204399 Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Sat, 7 Feb 2026 08:52:54 +0000
Subject: [PATCH] fix: resolve high vulnerability
 c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn

Automatically generated security fix
---
 deps/libscram/src/scram.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/deps/libscram/src/scram.c b/deps/libscram/src/scram.c
index 68125597d..7262d5909 100644
--- a/deps/libscram/src/scram.c
+++ b/deps/libscram/src/scram.c
@@ -271,15 +271,16 @@ static bool parse_scram_secret(const char *secret, int *iterations, char **salt,
 	s = strdup(secret);
 	if (!s)
 		goto invalid_secret;
-	if ((scheme_str = strtok(s, "$")) == NULL)
+	char *saveptr;
+	if ((scheme_str = strtok_r(s, "$", &saveptr)) == NULL)
 		goto invalid_secret;
-	if ((iterations_str = strtok(NULL, ":")) == NULL)
+	if ((iterations_str = strtok_r(NULL, ":", &saveptr)) == NULL)
 		goto invalid_secret;
-	if ((salt_str = strtok(NULL, "$")) == NULL)
+	if ((salt_str = strtok_r(NULL, "$", &saveptr)) == NULL)
 		goto invalid_secret;
-	if ((storedkey_str = strtok(NULL, ":")) == NULL)
+	if ((storedkey_str = strtok_r(NULL, ":", &saveptr)) == NULL)
 		goto invalid_secret;
-	if ((serverkey_str = strtok(NULL, "")) == NULL)
+	if ((serverkey_str = strtok_r(NULL, "", &saveptr)) == NULL)
 		goto invalid_secret;
 
 	/* Parse the fields */