{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@asymmetric-effort/specifyjs--0.2.136/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@asymmetric-effort/specifyjs (\u003c 0.2.136)"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","vulnerability","ssrf","javascript"],"_cs_type":"advisory","_cs_vendors":["asymmetric-effort"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-50288, has been identified in the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e npm package, specifically affecting versions prior to 0.2.136. This flaw resides within the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function, intended to enforce HTTPS validation for URLs. The vulnerability occurs because the function's \u003ccode\u003ecatch\u003c/code\u003e block for \u003ccode\u003enew URL()\u003c/code\u003e parse errors silently returns without re-throwing the error, effectively bypassing security checks. This oversight allows requests for malformed URLs to proceed without proper HTTPS validation, potentially enabling Server-Side Request Forgery (SSRF) attacks. Defenders should be aware that applications utilizing vulnerable versions of this library are susceptible to requests being directed to unintended or malicious destinations, jeopardizing internal network security and data integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application that uses the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e library, specifically a vulnerable version (prior to 0.2.136).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially malformed URL that will cause \u003ccode\u003enew URL()\u003c/code\u003e to throw a parse error when processed by the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted URL to the vulnerable application, likely through a user-controlled input field that expects a URL.\u003c/li\u003e\n\u003cli\u003eThe application processes the input URL using the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function for security validation.\u003c/li\u003e\n\u003cli\u003eDuring validation, \u003ccode\u003enew URL()\u003c/code\u003e throws an error due to the malformed input provided by the attacker.\u003c/li\u003e\n\u003cli\u003eInstead of re-throwing the error or blocking the request, the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function's \u003ccode\u003ecatch\u003c/code\u003e block silently returns, indicating success despite the parse failure and lack of HTTPS validation.\u003c/li\u003e\n\u003cli\u003eThe application proceeds to make a request to the unvalidated, and potentially attacker-controlled, internal or external endpoint.\u003c/li\u003e\n\u003cli\u003eThis successful bypass enables Server-Side Request Forgery (SSRF), allowing the attacker to access or manipulate internal resources, conduct port scanning, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-50288 is the potential for Server-Side Request Forgery (SSRF) within applications using vulnerable versions of the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e library. Successful exploitation can allow attackers to force the compromised application server to make requests to internal services, retrieve sensitive data from internal systems (e.g., cloud metadata APIs, internal web services), bypass firewalls, or conduct port scanning of the internal network. Depending on the application's privileges and network access, this can lead to data exfiltration, further compromise of internal systems, or unauthorized actions against other resources, significantly impacting the confidentiality and integrity of the organization's data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching CVE-2026-50288 by upgrading \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e to version 0.2.136 or higher immediately. Refer to the GitHub Advisory Database reference for CVE-2026-50288.\u003c/li\u003e\n\u003cli\u003eReview your application's dependency tree to identify any instances of \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e at versions earlier than 0.2.136 and ensure all affected packages are updated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:47:22Z","date_published":"2026-07-03T11:47:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/","summary":"A high-severity vulnerability, CVE-2026-50288, in the `@asymmetric-effort/specifyjs` npm package (versions prior to 0.2.136) allows for the silent bypass of HTTPS validation by mishandling URL parse errors in the `assertSecureUrl` function, which can lead to Server-Side Request Forgery (SSRF).","title":"@asymmetric-effort/specifyjs: URL Parse Failure Silently Allows Request (CVE-2026-50288)","url":"https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/"}],"language":"en","title":"CraftedSignal Threat Feed - @Asymmetric-Effort/Specifyjs (\u003c 0.2.136)","version":"https://jsonfeed.org/version/1.1"}