📄 activitypub-federation-rust 0.7.1 Server-Side Request Forgery

# CVE-2026-33693: SSRF via 0.0.0.0 Bypass in activitypub-federation-rust `v4_is_invalid()` (CVSS 6.5 Moderate)
    
    ![GHSA](https://img.shields.io/badge/GHSA-q537--8fr5--cw35-orange)
    ![CVE](https://img.shields.io/badge/CVE--2026--33693-red)
    ![CVSS](https://img.shields.io/badge/CVSS-6.5%20Moderate-yellow)
    ![Platform](https://img.shields.io/badge/Platform-cargo-blue)
    ![CWE](https://img.shields.io/badge/CWE--918-purple)
    
    **Keywords:** SSRF, 0.0.0.0, IP validation bypass, activitypub-federation, Lemmy, Rust, ActivityPub
    
    ---
    
    ## Table of Contents
    
    - [Overview](#overview)
    - [Vulnerability Details](#vulnerability-details)
    - [Technical Analysis](#technical-analysis)
    - [Attack Chain](#attack-chain)
    - [Impact](#impact)
    - [Remediation](#remediation)
    - [CVSS v3.1 Metrics](#cvss-v31-metrics)
    - [Timeline](#timeline)
    - [References](#references)
    - [Contact](#contact)
    - [Disclaimer](#disclaimer)
    
    ---
    
    ## Overview
    
    A Server-Side Request Forgery (SSRF) vulnerability exists in the `activitypub-federation-rust` library (used by Lemmy and 6+ downstream projects) due to an incomplete IP address validation check in the `v4_is_invalid()` function. The function fails to call `is_unspecified()`, allowing an attacker to bypass SSRF protections by targeting `0.0.0.0` — which maps to localhost on most systems.
    
    - **Package:** `activitypub_federation` (Rust/cargo)
    - **Affected Versions:** <= 0.7.1
    - **Fixed In:** PR [#162](https://github.com/LemmyNet/activitypub-federation-rust/pull/162)
    
    ---
    
    ## Vulnerability Details
    
    The `v4_is_invalid()` function in `src/utils.rs` validates IPv4 addresses to block internal network access. It checks for loopback (`127.0.0.0/8`), private ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`), link-local (`169.254.0.0/16`), and broadcast (`255.255.255.255`), but **does not check for the unspecified address `0.0.0.0`**.
    
    On most systems, `0.0.0.0` resolves to the loopback interface, granting the same access as `127.0.0.1`.
    
    **Secondary Finding:** A DNS Rebinding / TOCTOU vulnerability also exists where `lookup_host()` resolves a hostname and validates the IP, but a separate `reqwest` call performs a second DNS resolution — allowing an attacker to serve a safe IP first, then rebind to an internal IP on the second resolution.
    
    ---
    
    ## Technical Analysis
    
    ### Vulnerable Code (`src/utils.rs`)
    
    ```rust
    fn v4_is_invalid(ip: &Ipv4Addr) -> bool {
        ip.is_loopback()
            || ip.is_private()
            || ip.is_link_local()
            || ip.is_broadcast()
            // MISSING: || ip.is_unspecified()  <- 0.0.0.0 not blocked
    }
    ```
    
    ### Fixed Code
    
    ```rust
    fn v4_is_invalid(ip: &Ipv4Addr) -> bool {
        ip.is_loopback()
            || ip.is_private()
            || ip.is_link_local()
            || ip.is_broadcast()
            || ip.is_unspecified()  // <- Now blocks 0.0.0.0
    }
    ```
    
    ---
    
    ## Attack Chain
    
    ```
    +---------------------------------------------------+
    |           SSRF via 0.0.0.0 Bypass                 |
    +---------------------------------------------------+
    |                                                   |
    |  1. Attacker hosts ActivityPub object with        |
    |     URL pointing to http://0.0.0.0:<port>/path    |
    |                                                   |
    |  2. Lemmy instance fetches the object via         |
    |     activitypub-federation-rust                   |
    |                                                   |
    |  3. v4_is_invalid() checks IP address:            |
    |     x is_loopback()     -> false (not 127.x)     |
    |     x is_private()      -> false (not RFC1918)    |
    |     x is_link_local()   -> false (not 169.254.x) |
    |     x is_broadcast()    -> false (not 255.x)     |
    |     x is_unspecified()  -> NOT CHECKED            |
    |     Result: 0.0.0.0 PASSES validation            |
    |                                                   |
    |  4. Request sent to 0.0.0.0 -> resolves to       |
    |     localhost -> accesses internal services       |
    |                                                   |
    |  5. Internal service data returned to attacker    |
    |     via ActivityPub federation response           |
    |                                                   |
    +---------------------------------------------------+
    ```
    
    ---
    
    ## Impact
    
    **Downstream Exposure:** The `activitypub-federation-rust` crate is used by **6+ projects** in the Fediverse ecosystem:
    
    | Project | Stars | Description |
    |---------|-------|-------------|
    | [Lemmy](https://github.com/LemmyNet/lemmy) | 13.7K+ | Link aggregator for the Fediverse |
    | [hatsu](https://github.com/importantimport/hatsu) | -- | ActivityPub bridge |
    | [gill](https://github.com/oknozor/gill) | -- | Git hosting with federation |
    | [ties](https://github.com/ties-social/ties) | -- | Social networking |
    | [fediscus](https://github.com/fediscus/fediscus) | -- | Federated discussions |
    | [fediverse-axum](https://github.com/fediverse-axum) | -- | ActivityPub framework |
    
    An attacker can:
    
    - **Access internal services** (databases, admin panels, cloud metadata endpoints)
    - **Scan internal ports** on the Lemmy/federation server
    - **Exfiltrate cloud credentials** via metadata APIs
    
    ---
    
    ## Remediation
    
    - **Upgrade** `activitypub-federation` to a version containing the fix from PR [#162](https://github.com/LemmyNet/activitypub-federation-rust/pull/162)
    - **Lemmy users:** Apply the backport from [lemmy#6411](https://github.com/LemmyNet/lemmy/pull/6411)
    
    ---
    
    ## CVSS v3.1 Metrics
    
    | Metric | Value |
    |--------|-------|
    | **Attack Vector** | Network |
    | **Attack Complexity** | Low |
    | **Privileges Required** | None |
    | **User Interaction** | None |
    | **Scope** | Unchanged |
    | **Confidentiality** | Low |
    | **Integrity** | Low |
    | **Availability** | None |
    | **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N` |
    | **Score** | **6.5 (Moderate)** |
    
    ---
    
    ## Timeline
    
    | Date | Event |
    |------|-------|
    | 2026-03-11 | Vulnerability reported via GitHub PVRT |
    | 2026-03-13 | Maintainer confirmed the finding |
    | 2026-03-13 | Fix PR [#162](https://github.com/LemmyNet/activitypub-federation-rust/pull/162) submitted |
    | 2026-03-13 | Advisory accidentally closed |
    | 2026-03-16 | Advisory reopened |
    | 2026-03-23 | CVE-2026-33693 assigned and advisory published |
    
    ---
    
    ## References
    
    - [GHSA-q537-8fr5-cw35](https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35)
    - [CVE-2026-33693](https://www.cve.org/CVERecord?id=CVE-2026-33693)
    - [Fix PR #162](https://github.com/LemmyNet/activitypub-federation-rust/pull/162)
    - [Lemmy Backport PR #6411](https://github.com/LemmyNet/lemmy/pull/6411)
    - [CWE-918: Server-Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html)
    
    ---
    
    ## Contact
    
    - **Website:** [snailsploit.com](https://snailsploit.com)
    - **GitHub:** [@SnailSploit](https://github.com/SnailSploit)
    - **LinkedIn:** [/in/kaiaizen](https://linkedin.com/in/kaiaizen)
    
    ---
    
    ## Disclaimer
    
    This repository is published for educational and defensive purposes as part of responsible vulnerability disclosure. The vulnerability was reported through GitHub's Private Vulnerability Reporting (PVRT) process. No exploitation was performed against production systems. All testing was conducted in isolated environments.