CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
AI Score
Confidence
Low
@fedify/fedify is vulnerable to Server Side Request Forgery (SSRF). The vulnerability is caused by making HTTP requests to internal IP addresses referenced in received activities or media URLs, which allows an attacker to send requests to resources within the Fedify server’s internal network.
github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141
github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175
github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
github.com/dahlia/fedify/releases/tag/0.11.1
github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx