[CVE-2024-39687], a vulnerabil…

@fedify@hollo.social

CVE-2024-39687, a vulnerability that could potentially allow a Server Side Request Forgery (SSRF) attack, was discovered in #Fedify and a security patch has been applied to fix it. The patched versions are 0.9.2, 0.10.1, and 0.11.1, respectively. If you are using an earlier version, please update as soon as possible.

Thanks to @thisismissem for reporting the vulnerability!

Release Fedify 0.11.1 · dahlia/fedify

Released on July 5, 2024. Fixed a SSRF vulnerability in the built-in document loader. [CVE-2024-39687] The fetchDocumentLoader() function now throws an error when the given URL is not an HTTP or...

1 reply

Emelia 👸🏻

@thisismissem@hachyderm.io · Reply to Fedify: ActivityPub server framework

@fedify users of Fedify still need to keep potential for SSRF in mind when requesting any URLs in Activities/Objects not through these APIs, e.g., when downloading media from a remote server for caching