Server-Side Request Forgery (SSRF)

webfinger.js is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restriction on localhost access because the lookup function fails to block requests to local or internal network services, allowing attackers to craft requests targeting internal resources...

CVE-2025-54590

CVE-2025-54590 affects webfinger.js (TypeScript WebFinger client). In versions 2.8.0 and earlier, the lookup function did not block localhost access (only basic localhost checks), enabling blind SSRF via crafted host/port/path in user addresses. Affected environments include browser and Node.js. ...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

webfinger.js 代码问题漏洞

webfinger.js is a client-side library for querying WebFinger records by the individual developer Nick Jennings. A code issue vulnerability exists in webfinger.js version 2.8.0 and earlier, which stems from not blocking localhost access and could lead to a blind SSRF attack...

Server-side Request Forgery (SSRF)

Overview webfinger.js is an A client library to query WebFinger records Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFinger class. An attacker can cause the server to send arbitrary GET requests to internal or external hosts, including localhost...

GHSA-8XQ3-W9FX-74RV webfinger.js Blind SSRF Vulnerability

Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec https://www.w3.org/TR/activitypub/security-considerations, on the security considerations section at B.3, access to Localhost services should be prevented while running in...

webfinger.js Blind SSRF Vulnerability

Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec https://www.w3.org/TR/activitypub/security-considerations, on the security considerations section at B.3, access to Localhost services should be prevented while running in...

CVE-2025-54590

creationtimestamp| type| source ---|---|--- 2025-07-27 17:38:06+00:00| published-proof-of-concept| https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv...