Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

CVE-2024-39687, a vulnerability that could potentially allow a Server Side Request Forgery (SSRF) attack, was discovered in and a security patch has been applied to fix it. The patched versions are 0.9.2, 0.10.1, and 0.11.1, respectively. If you are using an earlier version, please update as soon as possible.

Thanks to @thisismissem for reporting the vulnerability!

Emelia 👸🏻's avatar
Emelia 👸🏻

@[email protected] · Reply to Fedify: an ActivityPub server framework's post

@fedify users of Fedify still need to keep potential for SSRF in mind when requesting any URLs in Activities/Objects not through these APIs, e.g., when downloading media from a remote server for caching