Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
- Severity:
- High
Description
The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post() with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses validateUrlSsrf() which blocks private IP ranges.
Recommendation
Update the @novu/api package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.15.0
- Patched version(s): 3.15.0
References
Related Issues
- Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections - Vulnerability
- PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability
- LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
- Payload has Authenticated SSRF via Upload Functionality - CVE-2026-34746
You might also like:
- Tags:
- npm
- @novu/api
Anything's wrong? Let us know Last updated on April 14, 2026