Vulnerability DatabaseGHSA-4x48-cgf9-q33f

GHSA-4x48-cgf9-q33f:
JavaScript vulnerability analysis and mitigation

Summary

The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post() with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses validateUrlSsrf() which blocks private IP ranges. The conditions webhook was not included in this protection.

Root Cause

conditions-filter.usecase.ts line 261:

return await axios.post(child.webhookUrl, payload, config).then((response) => {
  return response.data as Record<string, unknown>;
});

No call to validateUrlSsrf(). The webhookUrl comes from the workflow condition configuration with zero validation.

Protected Code (for contrast)

execute-http-request-step.usecase.ts line 130:

const ssrfValidationError = await validateUrlSsrf(url);
if (ssrfValidationError) {
  // blocked
}

This function resolves DNS and checks against private ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16). It exists in the codebase but is not applied to the conditions webhook path.

Proof of Concept

Create a workflow with a condition step
Configure the condition's webhook URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/
Trigger the workflow by sending a notification event
The worker evaluates the condition and calls axios.post() to the metadata endpoint
The response data is stored in execution details and accessible via the execution details API

Impact

Full-read SSRF. The response body is returned as Record<string, unknown> for condition evaluation and stored in the execution details raw field. The GET /execution-details API returns this data. The POST method limits some metadata endpoints (GCP requires GET, Azure requires GET), but AWS IMDSv1 accepts POST and returns credentials. Internal services accepting POST are also reachable.

Suggested Fix

Extract validateUrlSsrf() to a shared utility and call it before the axios.post in conditions-filter.usecase.ts:

const ssrfError = await validateUrlSsrf(child.webhookUrl);
if (ssrfError) {
  throw new Error('Webhook URL blocked by SSRF protection');
}
return await axios.post(child.webhookUrl, payload, config)...

Source: NVD

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-9pp3-53p2-ww9v	CRITICAL	9.1	JavaScript	@vendure/core	No	Yes	Apr 14, 2026
CVE-2026-39884	HIGH	8.3	JavaScript	mcp-server-kubernetes	No	Yes	Apr 14, 2026
GHSA-26wg-9xf2-q495	HIGH	8.1	JavaScript	novu/api	No	Yes	Apr 14, 2026
CVE-2026-40255	MEDIUM	6.1	JavaScript	@adonisjs/core	No	Yes	Apr 14, 2026
GHSA-4x48-cgf9-q33f	HIGH	N/A	JavaScript	@novu/api	No	Yes	Apr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-4x48-cgf9-q33f: JavaScript vulnerability analysis and mitigation