specifyjs CVE-2026-50288
HIGHSeverity by source
Network-reachable URL input with trivially-crafted malformed value (AV:N/AC:L/PR:N/UI:N); a bypassed HTTPS/SSRF guard yields partial confidentiality and integrity impact (C:L/I:L) but no availability effect.
Lifecycle Timeline
1DescriptionCVE.org
Finding
Location: core/src/shared/secure-fetch.ts:42-45
When new URL() throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation.
Status
Fixed in v0.2.136 - The catch block now throws an error instead of silently returning.
AnalysisAI
HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the application passes an attacker-influenced URL into specifyjs's secure-fetch/assertSecureUrl path, and that the attacker can craft that value so new URL() throws a parse error - the specific vulnerable branch at secure-fetch.ts:42-45 that returns instead of throwing. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided, so quantitative exploitation-probability signals are unavailable and cannot be compared. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses specifyjs secure-fetch to safely retrieve a resource from a URL supplied by an end user, trusting assertSecureUrl to enforce HTTPS. The attacker submits a deliberately malformed URL string that causes new URL() to throw; assertSecureUrl silently returns as if the URL were valid, and the request proceeds without the HTTPS/SSRF guard, enabling a downgrade or forged internal request. … |
| Remediation | Vendor-released patch: v0.2.136 - upgrade the @asymmetric-effort/specifyjs dependency to 0.2.136 or later (npm install @asymmetric-effort/specifyjs@^0.2.136) and rebuild, per advisory GHSA-8882-frvv-92w4 (https://github.com/asymmetric-effort/specifyjs/security/advisories/GHSA-8882-frvv-92w4) and the fix commit 25d1fb491d99479efdf501f5f75e0bb80c908f0a. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications and services using @asymmetric-effort/specifyjs and assess risk exposure based on whether they process untrusted URLs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8882-frvv-92w4