@fedify/fedify@0.9.1 vulnerabilities

An ActivityPub server framework

latest version

1.3.5

latest non vulnerable version

1.4.0-dev.612

first published

10 months ago

latest version published

6 days ago

licenses detected

AGPL-3.0
>=0.5.0-dev.88 <0.10.0-dev.220

View fedify package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @fedify/fedify package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Infinite loop @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Infinite loop via the Webfinger mechanism which allows a user to perform a `GET` request to any internal resource on any `Host`, `Port`, `URL` combination regardless of present security mechanisms. How to fix Infinite loop? Upgrade `@fedify/fedify` to version 1.0.14, 1.1.11, 1.2.11, 1.3.4 or higher.	<1.0.14>=1.1.0 <1.1.11>=1.2.0 <1.2.11>=1.3.0 <1.3.4
M Server-Side Request Forgery (SSRF) @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the `fetch` API when making a request at runtime via the `DocLoader`. An attacker can access internal network resources by sending crafted requests that include internal IP addresses or other non-public URIs. This is only exploitable if the server does not enforce strict URI validation to ensure only public IP addresses are accessible. How to fix Server-Side Request Forgery (SSRF)? Upgrade `@fedify/fedify` to version 0.9.2, 0.10.1, 0.11.1 or higher.	<0.9.2>=0.10.0 <0.10.1>=0.11.0 <0.11.1

Infinite loop

@fedify/fedify is an An ActivityPub server framework

Affected versions of this package are vulnerable to Infinite loop via the Webfinger mechanism which allows a user to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms.

How to fix Infinite loop?

Upgrade @fedify/fedify to version 1.0.14, 1.1.11, 1.2.11, 1.3.4 or higher.

<1.0.14>=1.1.0 <1.1.11>=1.2.0 <1.2.11>=1.3.0 <1.3.4

Server-Side Request Forgery (SSRF)

@fedify/fedify is an An ActivityPub server framework

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the fetch API when making a request at runtime via the DocLoader. An attacker can access internal network resources by sending crafted requests that include internal IP addresses or other non-public URIs. This is only exploitable if the server does not enforce strict URI validation to ensure only public IP addresses are accessible.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade @fedify/fedify to version 0.9.2, 0.10.1, 0.11.1 or higher.

<0.9.2>=0.10.0 <0.10.1>=0.11.0 <0.11.1

Go back to all versions of this package