Skip to main content

Fedify CVE-2026-50131

| EUVD-2026-36132 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-10 GitHub_M
SSRF Fedify Vocab Runtime
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
8.6 HIGH

Federation fetches happen automatically over the network with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); SSRF to internal services typically reads sensitive data (C:H) with limited write/availability impact (I:L/A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 22:01 EUVD
Analysis Generated
Jun 10, 2026 - 21:18 vuln.today
CVE Published
Jun 10, 2026 - 20:27 cve.org
HIGH 8.6

DescriptionCVE.org

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The validatePublicUrl() protection relies on isValidPublicIPv4Address() to reject non-public IPv4 destinations. The function blocks common private and local ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, and 192.168.0.0/16, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.

AnalysisAI

Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the isValidPublicIPv4Address() allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify federated Fedify instance
Delivery
Host malicious ActivityPub actor with crafted URL
Exploit
Trigger victim fetch via federation delivery
Execution
Resolve URL to missed reserved/CGNAT IP
Persist
Fedify performs SSRF to internal target
Impact
Exfiltrate response or trigger internal action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running Fedify (or `vocab-runtime`) at version 0.11.2 or later but below the patched 1.9.12 / 1.10.11 / 2.0.19 / 2.1.15 / 2.2.4 release on its branch, with federation enabled so that runtime document and media fetching via `validatePublicUrl()` is exercised - this is the default deployment mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (8.6) is consistent with an SSRF reachable over the network with no authentication and no user interaction, against any Fedify instance willing to dereference a federated URL - which is the default mode of operation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious ActivityPub actor or object on a remote server they control, then triggers the victim Fedify instance to dereference it (for example via a follow, mention, or inbox delivery). The actor document or an embedded attachment URL resolves via DNS to an address inside a missed range such as 100.64.x.x (CGNAT) or to cloud metadata via a redirector, causing Fedify's outbound HTTP client to fetch the internal resource and surface its contents or side effects back through the federation layer. …
Remediation Vendor-released patch: upgrade to Fedify 1.9.12, 1.10.11, 2.0.19, 2.1.15, or 2.2.4 on the matching release branch as documented in https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8, and update `vocab-runtime` in lockstep. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running Fedify versions 0.11.2-2.2.3 and audit their network access; implement firewall rules blocking outbound connections from affected services to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 224.0.0.0/4, and reserved multicast/benchmarking ranges). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50131 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy