Skip to main content

specifyjs CVE-2026-50288

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 https://github.com/asymmetric-effort/specifyjs GHSA-8882-frvv-92w4
Share

Severity by source

vuln.today AI
6.5 MEDIUM

Network-reachable URL input with trivially-crafted malformed value (AV:N/AC:L/PR:N/UI:N); a bypassed HTTPS/SSRF guard yields partial confidentiality and integrity impact (C:L/I:L) but no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:15 vuln.today

DescriptionCVE.org

Finding

Location: core/src/shared/secure-fetch.ts:42-45

When new URL() throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation.

Status

Fixed in v0.2.136 - The catch block now throws an error instead of silently returning.

AnalysisAI

HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply malformed URL to app input
Delivery
Value reaches assertSecureUrl guard
Exploit
new URL() throws, guard returns silently
Execution
HTTPS/SSRF check bypassed
Impact
Forged or downgraded request sent

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application passes an attacker-influenced URL into specifyjs's secure-fetch/assertSecureUrl path, and that the attacker can craft that value so new URL() throws a parse error - the specific vulnerable branch at secure-fetch.ts:42-45 that returns instead of throwing. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided, so quantitative exploitation-probability signals are unavailable and cannot be compared. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses specifyjs secure-fetch to safely retrieve a resource from a URL supplied by an end user, trusting assertSecureUrl to enforce HTTPS. The attacker submits a deliberately malformed URL string that causes new URL() to throw; assertSecureUrl silently returns as if the URL were valid, and the request proceeds without the HTTPS/SSRF guard, enabling a downgrade or forged internal request. …
Remediation Vendor-released patch: v0.2.136 - upgrade the @asymmetric-effort/specifyjs dependency to 0.2.136 or later (npm install @asymmetric-effort/specifyjs@^0.2.136) and rebuild, per advisory GHSA-8882-frvv-92w4 (https://github.com/asymmetric-effort/specifyjs/security/advisories/GHSA-8882-frvv-92w4) and the fix commit 25d1fb491d99479efdf501f5f75e0bb80c908f0a. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications and services using @asymmetric-effort/specifyjs and assess risk exposure based on whether they process untrusted URLs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy