CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-2944-57xv-2682: @asymmetric-effort/specifyjs: `data:` URI allowed without size restriction

medium
Finding Location: core/src/shared/secure-fetch.ts:33-35 data: URIs were allowed without any restriction. While data: URIs don't make network requests, they can be used for memory exhaustion via very large data URIs. Status Fixed in v0.2.136 — data: URIs are now limited to 1MB. URIs exceeding this limit throw an error.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-2944-57xv-2682

More from GitHub Security Advisories