GHSA-4x48-cgf9-q33f
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@novu/apinpmDescription
Summary
The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post() with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses validateUrlSsrf() which blocks private IP ranges. The conditions webhook was not included in this protection.
Root Cause
conditions-filter.usecase.ts line 261:
return await axios.post(child.webhookUrl, payload, config).then((response) => {
return response.data as Record<string, unknown>;
});
No call to validateUrlSsrf(). The webhookUrl comes from the workflow condition configuration with zero validation.
Protected Code (for contrast)
execute-http-request-step.usecase.ts line 130:
const ssrfValidationError = await validateUrlSsrf(url);
if (ssrfValidationError) {
// blocked
}
This function resolves DNS and checks against private ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16). It exists in the codebase but is not applied to the conditions webhook path.
Proof of Concept
- Create a workflow with a condition step
- Configure the condition's webhook URL to
http://169.254.169.254/latest/meta-data/iam/security-credentials/ - Trigger the workflow by sending a notification event
- The worker evaluates the condition and calls
axios.post()to the metadata endpoint - The response data is stored in execution details and accessible via the execution details API
Impact
Full-read SSRF. The response body is returned as Record<string, unknown> for condition evaluation and stored in the execution details raw field. The GET /execution-details API returns this data.
The POST method limits some metadata endpoints (GCP requires GET, Azure requires GET), but AWS IMDSv1 accepts POST and returns credentials. Internal services accepting POST are also reachable.
Suggested Fix
Extract validateUrlSsrf() to a shared utility and call it before the axios.post in conditions-filter.usecase.ts:
const ssrfError = await validateUrlSsrf(child.webhookUrl);
if (ssrfError) {
throw new Error('Webhook URL blocked by SSRF protection');
}
return await axios.post(child.webhookUrl, payload, config)...
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @novu/api | all versions | 3.15.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @novu/api. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @novu/api to 3.15.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4x48-cgf9-q33f is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4x48-cgf9-q33f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4x48-cgf9-q33f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4x48-cgf9-q33f in your dependencies?
O3 detects GHSA-4x48-cgf9-q33f across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.