In related news, #Hollo has also released #security updates: 0.3.6 & 0.4.4. Update now!
https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed
hollo.social
We have released #security upd…
We have released #security updates ([1.0.14], [1.1.11], [1.2.11], [1.3.4]) to address [CVE-2025-23221], a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately. [1.0.14]: https://github.com/dahlia/fedify/releases/tag/1.0.14 [1.1.11]: https://github.com/dahlia/fedify/releases/tag/1.1.11 [1.2.11]: https://github.com/dahlia/fedify/releases/tag/1.2.11 [1.3.4]: https://github.com/dahlia/fedify/releases/tag/1.3.4 [CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx ## The Vulnerability A security researcher identified multiple security issues in Fedify's `lookupWebFinger()` function that could be exploited to: - Perform denial of service attacks through infinite redirect loops - Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses - Access unintended URL schemes through redirect manipulation ## Fixed Versions - 1.3.x series: Update to [1.3.4] - 1.2.x series: Update to [1.2.11] - 1.1.x series: Update to [1.1.11] - 1.0.x series: Update to [1.0.14] ## Changes The security updates implement the following fixes: 1. Added a maximum redirect limit (5) to prevent infinite redirect loops 2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS) 3. Blocked redirects to private network addresses to prevent SSRF attacks ## How to Update To update to the latest secure version: ```sh # For npm users npm update @fedify/fedify # For Deno users deno add jsr:@fedify/fedify ``` We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly. For more details about this vulnerability, please refer to our [security advisory][CVE-2025-23221]. --- If you have any questions or concerns, please don't hesitate to reach out through our [GitHub Discussions](https://github.com/dahlia/fedify/discussions), join our [Matrix chat space](https://matrix.to/#/#fedify:matrix.org), or our [Discord server](https://discord.gg/bhtwpzURwd).
We have released #security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a #vulnerability in #Fedify's #WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.
The Vulnerability
A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:
- Perform denial of service attacks through infinite redirect loops
- Execute server-side request forgery (#SSRF) attacks via redirects to private network addresses
- Access unintended URL schemes through redirect manipulation
Fixed Versions
- 1.3.x series: Update to 1.3.4
- 1.2.x series: Update to 1.2.11
- 1.1.x series: Update to 1.1.11
- 1.0.x series: Update to 1.0.14
Changes
The security updates implement the following fixes:
- Added a maximum redirect limit (5) to prevent infinite redirect loops
- Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
- Blocked redirects to private network addresses to prevent SSRF attacks
How to Update
To update to the latest secure version:
# For npm users
npm update @fedify/fedify
# For Deno users
deno add jsr:@fedify/fedify
We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.
For more details about this vulnerability, please refer to our security advisory.
If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.
discord.com
Join the Fedify/Hollo Discord Server!
Check out the Fedify/Hollo community on Discord - hang out with 84 other members and enjoy free voice and text chat.