VYPR
Medium severity5.4OSV Advisory· Published Jan 20, 2025· Updated Apr 15, 2026

CVE-2025-23221

CVE-2025-23221

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@fedify/fedifynpm
>= 1.0.13, < 1.0.141.0.14
@fedify/fedifynpm
>= 1.1.10, < 1.1.111.1.11
@fedify/fedifynpm
>= 1.2.10, < 1.2.111.2.11
@fedify/fedifynpm
>= 1.3.3, < 1.3.41.3.4

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.