Hong Minhee

9 exploits Active since Jul 2024
CVE-2024-39687 WRITEUP HIGH WRITEUP
Fedify < 0.9.2, 0.10.0, 0.11.0 - Server-Side Request Forgery via ActivityPub Resource Resolution
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue.
CVSS 7.2
CVE-2025-23221 WRITEUP MEDIUM WRITEUP
Fedify 1.0.13-1.0.13, 1.1.0-1.1.10, 1.2.0-1.2.10, 1.3.0-1.3.3 - Denial of Service via Webfinger Mechanism
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
CVSS 5.4
CVE-2025-23221 WRITEUP MEDIUM WRITEUP
Fedify 1.0.13-1.0.13, 1.1.0-1.1.10, 1.2.0-1.2.10, 1.3.0-1.3.3 - Denial of Service via Webfinger Mechanism
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
CVSS 5.4
CVE-2024-39687 WRITEUP HIGH WRITEUP
Fedify < 0.9.2, 0.10.0, 0.11.0 - Server-Side Request Forgery via ActivityPub Resource Resolution
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue.
CVSS 7.2
CVE-2025-23221 WRITEUP MEDIUM WRITEUP
Fedify 1.0.13-1.0.13, 1.1.0-1.1.10, 1.2.0-1.2.10, 1.3.0-1.3.3 - Denial of Service via Webfinger Mechanism
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
CVSS 5.4
CVE-2025-53941 WRITEUP MEDIUM WRITEUP
Hollo < 0.6.5 - HTML Injection via Form Element Submission
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.
CVSS 6.1
CVE-2025-54888 WRITEUP HIGH WRITEUP
Fedify < 1.3.20 - Incorrect Authorization
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.
CVE-2025-68475 WRITEUP HIGH WRITEUP
Fedify < 1.6.13, 1.7.0-1.7.13, 1.8.0-1.8.14, 1.9.0-1.9.1 - Regular Expression Denial of Service in HTML Parser
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
CVSS 7.5
CVE-2026-25808 WRITEUP HIGH WRITEUP
Hollo <0.6.20-0.7.2 - Info Disclosure
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
CVSS 7.5