Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-4x48-cgf9-q33f

Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
Back to all
CVE

GHSA-4x48-cgf9-q33f

Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection

Summary

The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post() with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses validateUrlSsrf() which blocks private IP ranges. The conditions webhook was not included in this protection.

Root Cause

conditions-filter.usecase.ts line 261:

return await axios.post(child.webhookUrl, payload, config).then((response) => {
  return response.data as Record<string, unknown>;
});

No call to validateUrlSsrf(). The webhookUrl comes from the workflow condition configuration with zero validation.

Protected Code (for contrast)

execute-http-request-step.usecase.ts line 130:

const ssrfValidationError = await validateUrlSsrf(url);
if (ssrfValidationError) {
  // blocked
}

This function resolves DNS and checks against private ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16). It exists in the codebase but is not applied to the conditions webhook path.

Proof of Concept

  1. Create a workflow with a condition step
  2. Configure the condition's webhook URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/
  3. Trigger the workflow by sending a notification event
  4. The worker evaluates the condition and calls axios.post() to the metadata endpoint
  5. The response data is stored in execution details and accessible via the execution details API

Impact

Full-read SSRF. The response body is returned as Record<string, unknown> for condition evaluation and stored in the execution details raw field. The GET /execution-details API returns this data.

The POST method limits some metadata endpoints (GCP requires GET, Azure requires GET), but AWS IMDSv1 accepts POST and returns credentials. Internal services accepting POST are also reachable.

Suggested Fix

Extract validateUrlSsrf() to a shared utility and call it before the axios.post in conditions-filter.usecase.ts:

const ssrfError = await validateUrlSsrf(child.webhookUrl);
if (ssrfError) {
  throw new Error('Webhook URL blocked by SSRF protection');
}
return await axios.post(child.webhookUrl, payload, config)...

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/novuhq/novu/security/advisories/GHSA-4x48-cgf9-q33f, https://github.com/novuhq/novu/commit/87d965eb88340ac7cd262dd52c8015acd092dc68, https://github.com/novuhq/novu

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
3.15.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading