94 matches found
Fedify 安全漏洞
Fedify is a TypeScript library by the individual developer Hong Minhee. It is used to build federated server applications supported by ActivityPub and other standards. A security vulnerability exists in Fedify versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2, which stems from a regular...
PT-2025-52723
Name of the Vulnerable Software and Affected Versions Fedify versions prior to 1.6.13 Fedify versions prior to 1.7.14 Fedify versions prior to 1.8.15 Fedify versions prior to 1.9.2 Description Fedify is a TypeScript library used for building federated server applications based on ActivityPub. A...
EUVD-2025-24039
Malicious code in bioql PyPI...
EUVD-2024-2391
Malicious code in bioql PyPI...
CVE-2025-54888
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass...
CVE-2025-54888
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass...
@fedify/botkit (>=0.3.0-dev.125 <=0.3.0-dev.131) potentially affected by CVE-2025-54888 via @fedify/fedify (=1.8.1-dev.1262)
@fedify/fedify NPM version =1.8.1-dev.1262 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.3.0-dev.125, =0.3.0-dev.131 Source cves: CVE-2025-54888 Source advisory: SNYK:JS-FEDIFYFEDIFY-11735306...
@fedify/amqp (=0.2.0-dev.12), @fedify/postgres (>=0.3.0 <=0.3.0-dev.22) +1 more potentially affected by CVE-2025-54888 via @fedify/fedify (>=1.5.0-dev.732 <=1.5.0)
@fedify/fedify NPM version =1.5.0-dev.732, =0.3.0, =0.4.0, =0.4.0-dev.19 Source cves: CVE-2025-54888 Source advisory: SNYK:JS-FEDIFYFEDIFY-11735306...
Improper Authentication
Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Improper Authentication via the handleInboxInternal function in the federation/handler.ts file. An attacker can impersonate any actor across all instances by sending forged activities...
CVE-2025-54888 @fedify/fedify: Improper Authentication and Incorrect Authorization
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass...
CVE-2025-54888 @fedify/fedify: Improper Authentication and Incorrect Authorization
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass...
CVE-2025-54888
Fedify vulnerability CVE-2025-54888 is an authentication bypass in handleInboxInternal that lets an attacker impersonate any ActivityPub actor by sending forged activities signed with their own keys. The flaw processes an activity before verifying the signer’s ownership of the actor, enabling imp...
CVE-2025-54888 @fedify/fedify: Improper Authentication and Incorrect Authorization
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass...
Fedify 安全漏洞
Fedify is a TypeScript library by the individual developer Hong Minhee. It is used to build federated server applications supported by ActivityPub and other standards. A security vulnerability exists in Fedify that stems from an authentication bypass that could lead to arbitrary ActivityPub role...
@fedify/amqp (=0.2.0-dev.12), @fedify/postgres (>=0.3.0 <=0.3.0-dev.22) +1 more potentially affected by CVE-2025-54888 via @fedify/fedify (>=1.5.0-dev.732 <=1.5.0)
@fedify/fedify NPM version =1.5.0-dev.732, =0.3.0, =0.4.0, =0.4.0-dev.19 Source cves: CVE-2025-54888 Source advisory: OSV:GHSA-6JCC-XGCR-Q3H4...
@fedify/botkit (>=0.3.0-dev.125 <=0.3.0-dev.131) potentially affected by CVE-2025-54888 via @fedify/fedify (=1.8.1-dev.1262)
@fedify/fedify NPM version =1.8.1-dev.1262 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.3.0-dev.125, =0.3.0-dev.131 Source cves: CVE-2025-54888 Source advisory: OSV:GHSA-6JCC-XGCR-Q3H4...
@fedify/fedify has Improper Authentication and Incorrect Authorization
Summary An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor...
Hollo 安全漏洞
Hollo is a micro-blogging software from Fedify Open Source. A security vulnerability exists in versions of Hollo prior to 0.6.5 that stems from allowing submission of HTML form elements, which may result in HTML injection...
Server-Side Request Forgery (SSRF)
Fedify is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the Webfinger mechanism, allowing attackers to perform GET requests to internal resources, cause denial of service via infinite loops, or execute blind SSRF attacks...
GHSA-C59P-WQ67-24WX Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover,...