#SSRF

To all you #developers implementing #SSRF protections in your #fediverse applications...

We are all in favor of those protections. But!

Have a setting that lets projects like #FediTest override it. Otherwise how can anybody test interop on anything other than on the public internet?

Mastodon has a ALLOWED_PRIVATE_ADDRESSES setting, which is one way of doing it. Or just have a setting with a default value of what's disabled, and let people override it. Or whatever.

But we need something ...

We released #Fedify 0.9.2, 0.10.1, and 0.11.1, which patched the last reported #vulnerability, CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!

#SSRF #security #fedidev