VDB
KO
HIGH

GHSA-8882-frvv-92w4

@asymmetric-effort/specifyjs: URL parse failure silently allows request

Details

## Finding

**Location**: `core/src/shared/secure-fetch.ts:42-45`

When `new URL()` throws a parse error, the `assertSecureUrl` function returned without throwing, silently allowing the request to proceed without HTTPS validation.

## Status

**Fixed in v0.2.136** — The catch block now throws an error instead of silently returning.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.136
Fix npm install @asymmetric-effort/specifyjs@0.2.136

References