GHSA-4x48-cgf9-q33f: Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection

April 14, 2026

The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post() with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses validateUrlSsrf() which blocks private IP ranges. The conditions webhook was not included in this protection.

References

github.com/advisories/GHSA-4x48-cgf9-q33f
github.com/novuhq/novu
github.com/novuhq/novu/commit/87d965eb88340ac7cd262dd52c8015acd092dc68
github.com/novuhq/novu/security/advisories/GHSA-4x48-cgf9-q33f

Code Behaviors & Features

Detect and mitigate GHSA-4x48-cgf9-q33f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →