CVE-2024-39687, a vulnerability that could potentially allow a Server Side Request Forgery (SSRF) attack, was discovered in #Fedify and a security patch has been applied to fix it. The patched versions are 0.9.2, 0.10.1, and 0.11.1, respectively. If you are using an earlier version, please update as soon as possible.

Thanks to @thisismissem for reporting the vulnerability!

@fedify users of Fedify still need to keep potential for SSRF in mind when requesting any URLs in Activities/Objects not through these APIs, e.g., when downloading media from a remote server for caching