Fedify
Monthly
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.
A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify, a TypeScript library for building ActivityPub federated servers, where maliciously crafted HTML responses can cause catastrophic backtracking in the document loader's HTML parsing regex. The vulnerability affects versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2, allowing remote attackers to cause denial of service without authentication. A public proof-of-concept exploit is available, though the EPSS score of 0.13% indicates relatively low exploitation likelihood in the wild.
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.
A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify, a TypeScript library for building ActivityPub federated servers, where maliciously crafted HTML responses can cause catastrophic backtracking in the document loader's HTML parsing regex. The vulnerability affects versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2, allowing remote attackers to cause denial of service without authentication. A public proof-of-concept exploit is available, though the EPSS score of 0.13% indicates relatively low exploitation likelihood in the wild.