CVE-2025-23221

Published Jan 20, 2025

Last updated a month ago

CVSS medium 5.4

Overview

Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.4
Impact score
2.7
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-835

Social media

Hype score
Not currently trending

  1. 🌐 Bulletin d'Actualité - 21/01/2025 🔗 https://t.co/sP30LsqPsn 🔒 Vulnérabilités : Drupal : XSS, contournement d’accès 🚨 CVE-2025-23221 : SSRF et DoS npm dans fedify ⚠️ ✨ Découvrir : CNIL sur les SDK 📱 D3FEND 1.0 MITRE. 🛡️ DORA en production ! #cybersecurite #BulletinCERT

    @CERT_Illicium

    22 Jan 2025

    4 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New post from https://t.co/uXvPWJy6tj (CVE-2025-23221 | dahlia fedify up to 1.0.13/1.1.10/1.2.10/1.3.3 infinite loop (GHSA-c59p-wq67-24wx)) has been published on https://t.co/ohJ2uAhgB8

    @WolfgangSesin

    20 Jan 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. New post from https://t.co/uXvPWJy6tj (CVE-2025-23221 | dahlia fedify up to 1.0.13/1.1.10/1.2.10/1.3.3 infinite loop (GHSA-c59p-wq67-24wx)) has been published on https://t.co/hvhDYC2DLI

    @WolfgangSesin

    20 Jan 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-23221 Denial of Service and Blind SSRF in Fedify Library Prior to 1.3.4 https://t.co/P0gf7luSpT

    @VulmonFeeds

    20 Jan 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-23221 Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfing… https://t.co/dO88Oe90Id

    @CVEnew

    20 Jan 2025

    552 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References