Medium severity5.4OSV Advisory· Published Jan 20, 2025· Updated Apr 15, 2026
CVE-2025-23221
CVE-2025-23221
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fedify/fedifynpm | >= 1.0.13, < 1.0.14 | 1.0.14 |
@fedify/fedifynpm | >= 1.1.10, < 1.1.11 | 1.1.11 |
@fedify/fedifynpm | >= 1.2.10, < 1.2.11 | 1.2.11 |
@fedify/fedifynpm | >= 1.3.3, < 1.3.4 | 1.3.4 |
Affected products
2- Range: 0.1.0, 0.10.0, 0.11.0, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-c59p-wq67-24wxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23221ghsaADVISORY
- github.com/dahlia/fedify/commit/8be3c2038eebf4ae12481683a1e809b314be3151nvdWEB
- github.com/dahlia/fedify/commit/c505eb82fcd6b5b17174c6659c29721bc801ab9anvdWEB
- github.com/dahlia/fedify/commit/e921134dd5097586e4563ea80b9e8d1b5460a645nvdWEB
- github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wxnvdWEB
News mentions
0No linked articles in our index yet.