CVE-2025-23221

MEDIUM

Fedify < 1.0.14 - SSRF

Title source: rule

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.

References (4)

[Vendor Advisory] https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx

[Patch] https://github.com/dahlia/fedify/commit/8be3c2038eebf4ae12481683a1e809b314be3151

[Patch] https://github.com/dahlia/fedify/commit/c505eb82fcd6b5b17174c6659c29721bc801ab9a

View Patch ZIP pw:eip

[Patch] https://github.com/dahlia/fedify/commit/e921134dd5097586e4563ea80b9e8d1b5460a645

Scores

CVSS v3 5.4

EPSS 0.0011

EPSS Percentile 29.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-835 CWE-918

Status published

Products (5)

dahlia/fedify < 1.0.14

dahlia/fedify >= 1.1.0, < 1.1.11

dahlia/fedify >= 1.2.0, < 1.2.11

dahlia/fedify >= 1.3.0, < 1.3.4

fedify/fedify 1.0.13 - 1.0.14npm

Published Jan 20, 2025

Tracked Since Feb 18, 2026