BotKit security updates: 0.3.2 and 0.4.1

If you use BotKit, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code, and it also affects BotKit which depends on Fedify.

The validatePublicUrl() function in Fedify, which ensures resources aren't fetched from private or loopback addresses, failed to correctly identify certain IPv6 literals. Specifically, URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) could bypass the check.

This vulnerability could allow an attacker to provide a malicious URL that bypasses security checks, potentially allowing them to make the bot fetch internal resources or interact with services on the private network that should not be accessible from the public internet.

All versions of BotKit up to 0.3.1 (in the 0.3.x branch) and 0.4.0 (in the 0.4.x branch) are affected. Patched releases are 0.3.2 and 0.4.1.

For BotKit 0.4.x, update @fedify/botkit:

npm  update  @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update  @fedify/botkit
bun  update  @fedify/botkit
deno update  @fedify/botkit

For BotKit 0.3.x, update @fedify/botkit:

npm  update  @fedify/botkit@0.3.2
yarn upgrade @fedify/botkit@0.3.2
pnpm update  @fedify/botkit@0.3.2
bun  update  @fedify/botkit@0.3.2
deno update  @fedify/botkit@0.3.2

If you use other BotKit-related packages (e.g., @fedify/botkit-sqlite), update them as well. After updating, redeploy.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure.

If anything is unclear, feel free to ask on GitHub Discussions or Matrix.