Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack.
This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 4
https://github.com/dahlia/fedify/commit/8be3c2038eebf4ae12481683a1e809b314be3151
security-advisories@github.com
https://github.com/dahlia/fedify/commit/c505eb82fcd6b5b17174c6659c29721bc801ab9a
security-advisories@github.com
https://github.com/dahlia/fedify/commit/e921134dd5097586e4563ea80b9e8d1b5460a645
security-advisories@github.com
https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
security-advisories@github.com