Vocab Runtime
Monthly
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.
Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.