<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Asymmetric-Effort - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/asymmetric-effort/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:47:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/asymmetric-effort/feed.xml" rel="self" type="application/rss+xml"/><item><title>@asymmetric-effort/specifyjs: URL Parse Failure Silently Allows Request (CVE-2026-50288)</title><link>https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/</link><pubDate>Fri, 03 Jul 2026 11:47:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-specifyjs-url-parse-failure/</guid><description>A high-severity vulnerability, CVE-2026-50288, in the `@asymmetric-effort/specifyjs` npm package (versions prior to 0.2.136) allows for the silent bypass of HTTPS validation by mishandling URL parse errors in the `assertSecureUrl` function, which can lead to Server-Side Request Forgery (SSRF).</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-50288, has been identified in the <code>@asymmetric-effort/specifyjs</code> npm package, specifically affecting versions prior to 0.2.136. This flaw resides within the <code>assertSecureUrl</code> function, intended to enforce HTTPS validation for URLs. The vulnerability occurs because the function's <code>catch</code> block for <code>new URL()</code> parse errors silently returns without re-throwing the error, effectively bypassing security checks. This oversight allows requests for malformed URLs to proceed without proper HTTPS validation, potentially enabling Server-Side Request Forgery (SSRF) attacks. Defenders should be aware that applications utilizing vulnerable versions of this library are susceptible to requests being directed to unintended or malicious destinations, jeopardizing internal network security and data integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an application that uses the <code>@asymmetric-effort/specifyjs</code> library, specifically a vulnerable version (prior to 0.2.136).</li>
<li>The attacker crafts a specially malformed URL that will cause <code>new URL()</code> to throw a parse error when processed by the <code>assertSecureUrl</code> function.</li>
<li>The attacker sends this crafted URL to the vulnerable application, likely through a user-controlled input field that expects a URL.</li>
<li>The application processes the input URL using the <code>assertSecureUrl</code> function for security validation.</li>
<li>During validation, <code>new URL()</code> throws an error due to the malformed input provided by the attacker.</li>
<li>Instead of re-throwing the error or blocking the request, the <code>assertSecureUrl</code> function's <code>catch</code> block silently returns, indicating success despite the parse failure and lack of HTTPS validation.</li>
<li>The application proceeds to make a request to the unvalidated, and potentially attacker-controlled, internal or external endpoint.</li>
<li>This successful bypass enables Server-Side Request Forgery (SSRF), allowing the attacker to access or manipulate internal resources, conduct port scanning, or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-50288 is the potential for Server-Side Request Forgery (SSRF) within applications using vulnerable versions of the <code>@asymmetric-effort/specifyjs</code> library. Successful exploitation can allow attackers to force the compromised application server to make requests to internal services, retrieve sensitive data from internal systems (e.g., cloud metadata APIs, internal web services), bypass firewalls, or conduct port scanning of the internal network. Depending on the application's privileges and network access, this can lead to data exfiltration, further compromise of internal systems, or unauthorized actions against other resources, significantly impacting the confidentiality and integrity of the organization's data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching CVE-2026-50288 by upgrading <code>@asymmetric-effort/specifyjs</code> to version 0.2.136 or higher immediately. Refer to the GitHub Advisory Database reference for CVE-2026-50288.</li>
<li>Review your application's dependency tree to identify any instances of <code>@asymmetric-effort/specifyjs</code> at versions earlier than 0.2.136 and ensure all affected packages are updated.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>npm</category><category>supply-chain</category><category>vulnerability</category><category>ssrf</category><category>javascript</category></item><item><title>Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write</title><link>https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/</link><pubDate>Fri, 03 Jul 2026 11:29:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nogginlessdom-path-traversal/</guid><description>A path traversal vulnerability (GHSA-322x-v876-g883) in the `matchFileSnapshot` function of the `@asymmetric-effort/nogginlessdom` library allows an attacker to write arbitrary content to any filesystem path with write access when snapshot update mode is active, potentially leading to supply chain compromise in CI/CD environments.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as GHSA-322x-v876-g883, has been identified in the <code>matchFileSnapshot</code> function within the <code>@asymmetric-effort/nogginlessdom</code> JavaScript library, specifically in versions <code>0.0.21</code> and earlier. This flaw arises from insufficient validation of the <code>filePath</code> parameter when the library operates in snapshot update mode (e.g., <code>UPDATE_SNAPSHOTS=1</code> environment variable or <code>setUpdateMode('all')</code>). An attacker capable of controlling the <code>filePath</code> input during testing can exploit this to write arbitrary content to any location on the filesystem where the process has write permissions. This includes creating new directories and overwriting existing files, posing a significant risk, particularly in CI/CD pipelines where untrusted test inputs from pull requests could lead to supply chain compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts malicious test input that includes a specially constructed <code>filePath</code> parameter containing path traversal sequences (e.g., <code>../../../tmp/evil.txt</code>).</li>
<li>The malicious test input is processed in an environment where the <code>@asymmetric-effort/nogginlessdom</code> library is used, and the snapshot update mode is active (<code>UPDATE_SNAPSHOTS=1</code> or <code>setUpdateMode('all')</code>).</li>
<li>The vulnerable <code>matchFileSnapshot</code> function is called with the attacker-controlled <code>filePath</code> and arbitrary content.</li>
<li>The <code>fs.existsSync(filePath)</code> check fails because the path is outside the expected directory, triggering the creation logic.</li>
<li>The library’s <code>fs.mkdirSync(dir, { recursive: true });</code> function creates intermediate directories specified by the attacker in the malicious <code>filePath</code>.</li>
<li>The <code>fs.writeFileSync(filePath, serialized, 'utf-8');</code> function writes attacker-controlled <code>serialized</code> content to the arbitrary <code>filePath</code>.</li>
<li>In a CI/CD environment, this allows overwriting critical configuration files (e.g., <code>/home/runner/.github/workflows/backdoor.yml</code>), injecting malicious code into build artifacts, or modifying pipeline definitions.</li>
<li>The successful write leads to arbitrary code execution, persistence within the build system, or compromise of distributed software.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows an attacker to perform arbitrary file writes, creating new directories and overwriting existing files with attacker-controlled content. In CI/CD environments, this is particularly severe as untrusted pull requests could trigger the exploit. Consequences include the complete compromise of build processes, such as overwriting CI configuration files to inject malicious steps, injecting malicious code directly into build artifacts, or modifying source code used in subsequent builds. This directly enables supply chain attacks, potentially affecting all downstream consumers of the compromised software. The specific number of victims is not available, but any organization using vulnerable versions of the library in their CI/CD systems is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>@asymmetric-effort/nogginlessdom</code> to version <code>0.0.22</code> or later immediately to apply the patch referenced in GHSA-322x-v876-g883.</li>
<li>Implement controls to prevent untrusted input from reaching build environments, especially in CI/CD pipelines.</li>
<li>Review CI/CD pipeline definitions and build artifacts for unauthorized modifications after applying the patch.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>supply-chain</category><category>ci/cd</category><category>npm</category><category>vulnerability</category></item></channel></rss>