VDB
KO
MEDIUM

GHSA-2944-57xv-2682

@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction

Details

## Finding

**Location**: `core/src/shared/secure-fetch.ts:33-35`

`data:` URIs were allowed without any restriction. While `data:` URIs don't make network requests, they can be used for memory exhaustion via very large data URIs.

## Status

**Fixed in v0.2.136** — `data:` URIs are now limited to 1MB. URIs exceeding this limit throw an error.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.136
Fix npm install @asymmetric-effort/specifyjs@0.2.136

References