HIGH
GHSA-8882-frvv-92w4
@asymmetric-effort/specifyjs: URL parse failure silently allows request
Details
## Finding
**Location**: `core/src/shared/secure-fetch.ts:42-45`
When `new URL()` throws a parse error, the `assertSecureUrl` function returned without throwing, silently allowing the request to proceed without HTTPS validation.
## Status
**Fixed in v0.2.136** — The catch block now throws an error instead of silently returning.
Are you affected?
Enter the version of the package you're using.
Affected packages
npm / @asymmetric-effort/specifyjs
Introduced in:
0 Fixed in: 0.2.136 Fix
npm install @asymmetric-effort/specifyjs@0.2.136 References
- https://github.com/asymmetric-effort/specifyjs/security/advisories/GHSA-8882-frvv-92w4 [WEB]
- https://github.com/asymmetric-effort/specifyjs/commit/25d1fb491d99479efdf501f5f75e0bb80c908f0a [WEB]
- https://github.com/asymmetric-effort/specifyjs [PACKAGE]
- https://github.com/asymmetric-effort/specifyjs/releases/tag/v0.2.136 [WEB]