{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/asymmetric-effort/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@asymmetric-effort/specifyjs (\u003c 0.2.136)"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","vulnerability","ssrf","javascript"],"_cs_type":"advisory","_cs_vendors":["asymmetric-effort"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-50288, has been identified in the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e npm package, specifically affecting versions prior to 0.2.136. This flaw resides within the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function, intended to enforce HTTPS validation for URLs. The vulnerability occurs because the function's \u003ccode\u003ecatch\u003c/code\u003e block for \u003ccode\u003enew URL()\u003c/code\u003e parse errors silently returns without re-throwing the error, effectively bypassing security checks. This oversight allows requests for malformed URLs to proceed without proper HTTPS validation, potentially enabling Server-Side Request Forgery (SSRF) attacks. Defenders should be aware that applications utilizing vulnerable versions of this library are susceptible to requests being directed to unintended or malicious destinations, jeopardizing internal network security and data integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application that uses the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e library, specifically a vulnerable version (prior to 0.2.136).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially malformed URL that will cause \u003ccode\u003enew URL()\u003c/code\u003e to throw a parse error when processed by the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted URL to the vulnerable application, likely through a user-controlled input field that expects a URL.\u003c/li\u003e\n\u003cli\u003eThe application processes the input URL using the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function for security validation.\u003c/li\u003e\n\u003cli\u003eDuring validation, \u003ccode\u003enew URL()\u003c/code\u003e throws an error due to the malformed input provided by the attacker.\u003c/li\u003e\n\u003cli\u003eInstead of re-throwing the error or blocking the request, the \u003ccode\u003eassertSecureUrl\u003c/code\u003e function's \u003ccode\u003ecatch\u003c/code\u003e block silently returns, indicating success despite the parse failure and lack of HTTPS validation.\u003c/li\u003e\n\u003cli\u003eThe application proceeds to make a request to the unvalidated, and potentially attacker-controlled, internal or external endpoint.\u003c/li\u003e\n\u003cli\u003eThis successful bypass enables Server-Side Request Forgery (SSRF), allowing the attacker to access or manipulate internal resources, conduct port scanning, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-50288 is the potential for Server-Side Request Forgery (SSRF) within applications using vulnerable versions of the \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e library. Successful exploitation can allow attackers to force the compromised application server to make requests to internal services, retrieve sensitive data from internal systems (e.g., cloud metadata APIs, internal web services), bypass firewalls, or conduct port scanning of the internal network. Depending on the application's privileges and network access, this can lead to data exfiltration, further compromise of internal systems, or unauthorized actions against other resources, significantly impacting the confidentiality and integrity of the organization's data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching CVE-2026-50288 by upgrading \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e to version 0.2.136 or higher immediately. Refer to the GitHub Advisory Database reference for CVE-2026-50288.\u003c/li\u003e\n\u003cli\u003eReview your application's dependency tree to identify any instances of \u003ccode\u003e@asymmetric-effort/specifyjs\u003c/code\u003e at versions earlier than 0.2.136 and ensure all affected packages are updated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:47:22Z","date_published":"2026-07-03T11:47:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/","summary":"A high-severity vulnerability, CVE-2026-50288, in the `@asymmetric-effort/specifyjs` npm package (versions prior to 0.2.136) allows for the silent bypass of HTTPS validation by mishandling URL parse errors in the `assertSecureUrl` function, which can lead to Server-Side Request Forgery (SSRF).","title":"@asymmetric-effort/specifyjs: URL Parse Failure Silently Allows Request (CVE-2026-50288)","url":"https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nogginlessdom (\u003c= 0.0.21)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","supply-chain","ci/cd","npm","vulnerability"],"_cs_type":"advisory","_cs_vendors":["asymmetric-effort"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as GHSA-322x-v876-g883, has been identified in the \u003ccode\u003ematchFileSnapshot\u003c/code\u003e function within the \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e JavaScript library, specifically in versions \u003ccode\u003e0.0.21\u003c/code\u003e and earlier. This flaw arises from insufficient validation of the \u003ccode\u003efilePath\u003c/code\u003e parameter when the library operates in snapshot update mode (e.g., \u003ccode\u003eUPDATE_SNAPSHOTS=1\u003c/code\u003e environment variable or \u003ccode\u003esetUpdateMode('all')\u003c/code\u003e). An attacker capable of controlling the \u003ccode\u003efilePath\u003c/code\u003e input during testing can exploit this to write arbitrary content to any location on the filesystem where the process has write permissions. This includes creating new directories and overwriting existing files, posing a significant risk, particularly in CI/CD pipelines where untrusted test inputs from pull requests could lead to supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious test input that includes a specially constructed \u003ccode\u003efilePath\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../tmp/evil.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious test input is processed in an environment where the \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e library is used, and the snapshot update mode is active (\u003ccode\u003eUPDATE_SNAPSHOTS=1\u003c/code\u003e or \u003ccode\u003esetUpdateMode('all')\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ematchFileSnapshot\u003c/code\u003e function is called with the attacker-controlled \u003ccode\u003efilePath\u003c/code\u003e and arbitrary content.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.existsSync(filePath)\u003c/code\u003e check fails because the path is outside the expected directory, triggering the creation logic.\u003c/li\u003e\n\u003cli\u003eThe library’s \u003ccode\u003efs.mkdirSync(dir, { recursive: true });\u003c/code\u003e function creates intermediate directories specified by the attacker in the malicious \u003ccode\u003efilePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFileSync(filePath, serialized, 'utf-8');\u003c/code\u003e function writes attacker-controlled \u003ccode\u003eserialized\u003c/code\u003e content to the arbitrary \u003ccode\u003efilePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn a CI/CD environment, this allows overwriting critical configuration files (e.g., \u003ccode\u003e/home/runner/.github/workflows/backdoor.yml\u003c/code\u003e), injecting malicious code into build artifacts, or modifying pipeline definitions.\u003c/li\u003e\n\u003cli\u003eThe successful write leads to arbitrary code execution, persistence within the build system, or compromise of distributed software.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an attacker to perform arbitrary file writes, creating new directories and overwriting existing files with attacker-controlled content. In CI/CD environments, this is particularly severe as untrusted pull requests could trigger the exploit. Consequences include the complete compromise of build processes, such as overwriting CI configuration files to inject malicious steps, injecting malicious code directly into build artifacts, or modifying source code used in subsequent builds. This directly enables supply chain attacks, potentially affecting all downstream consumers of the compromised software. The specific number of victims is not available, but any organization using vulnerable versions of the library in their CI/CD systems is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@asymmetric-effort/nogginlessdom\u003c/code\u003e to version \u003ccode\u003e0.0.22\u003c/code\u003e or later immediately to apply the patch referenced in GHSA-322x-v876-g883.\u003c/li\u003e\n\u003cli\u003eImplement controls to prevent untrusted input from reaching build environments, especially in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eReview CI/CD pipeline definitions and build artifacts for unauthorized modifications after applying the patch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:29:03Z","date_published":"2026-07-03T11:29:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/","summary":"A path traversal vulnerability (GHSA-322x-v876-g883) in the `matchFileSnapshot` function of the `@asymmetric-effort/nogginlessdom` library allows an attacker to write arbitrary content to any filesystem path with write access when snapshot update mode is active, potentially leading to supply chain compromise in CI/CD environments.","title":"Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write","url":"https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Asymmetric-Effort","version":"https://jsonfeed.org/version/1.1"}