#SSRF

Fediverse Test Suite's avatar
Fediverse Test Suite

@[email protected]

To all you implementing protections in your applications...

We are all in favor of those protections. But!

Have a setting that lets projects like override it. Otherwise how can anybody test interop on anything other than on the public internet?

Mastodon has a ALLOWED_PRIVATE_ADDRESSES setting, which is one way of doing it. Or just have a setting with a default value of what's disabled, and let people override it. Or whatever.

But we need something ...

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We released 0.9.2, 0.10.1, and 0.11.1, which patched the last reported , CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!