@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate severity
GitHub Reviewed
Published
May 29, 2026
in
asymmetric-effort/specifyjs
•
Updated Jul 2, 2026
Description
Published to the GitHub Advisory Database
Jul 2, 2026
Reviewed
Jul 2, 2026
Last updated
Jul 2, 2026
Finding
Location:
core/src/shared/secure-fetch.tsassertSecureUrlvalidated only the initial request URL. Thefetch()API follows redirects by default (up to 20 hops). A request to a validhttps://URL could redirect tohttp://internal-service/or other unvalidated destinations.Status
Fixed in v0.2.136 —
secureFetchnow defaults toredirect: 'error'which rejects any redirect. Callers can override with{ redirect: 'follow' }if they trust the target.References