{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-25T16:19:16.094Z", "datePublished": "2025-08-01T18:03:41.619Z", "dateUpdated": "2025-08-01T18:39:35.748Z"}, "containers": {"cna": {"title": "webfinger.js is vulnerable to Blind SSRF attacks through localhost", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv"}, {"name": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a", "tags": ["x_refsource_MISC"], "url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a"}, {"name": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1"}], "affected": [{"vendor": "silverbucket", "product": "webfinger.js", "versions": [{"version": "< 2.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T18:03:41.619Z"}, "descriptions": [{"lang": "en", "value": "webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \"localhost\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1."}], "source": {"advisory": "GHSA-8xq3-w9fx-74rv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T18:39:19.551343Z", "id": "CVE-2025-54590", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:39:35.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54590", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T18:39:19.551343Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:39:23.350Z"}}], "cna": {"title": "webfinger.js is vulnerable to Blind SSRF attacks through localhost", "source": {"advisory": "GHSA-8xq3-w9fx-74rv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "silverbucket", "product": "webfinger.js", "versions": [{"status": "affected", "version": "< 2.8.1"}]}], "references": [{"url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv", "name": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a", "name": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1", "name": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \"localhost\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T18:03:41.619Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54590", "state": "PUBLISHED", "dateUpdated": "2025-08-01T18:39:35.748Z", "dateReserved": "2025-07-25T16:19:16.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-01T18:03:41.619Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \"localhost\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1."}, {"lang": "es", "value": "webfinger.js es un cliente WebFinger basado en TypeScript que funciona tanto en navegadores como en entornos Node.js. En las versiones 2.8.0 y anteriores, la funci\u00f3n de b\u00fasqueda acepta direcciones de usuario para la comprobaci\u00f3n de cuentas. Sin embargo, la especificaci\u00f3n ActivityPub exige impedir el acceso a los servicios del host local en producci\u00f3n. Esta biblioteca no impide el acceso al host local, sino que solo comprueba los hosts que empiezan por \"localhost\" y terminan con un puerto. Los usuarios pueden aprovechar esto creando servidores que env\u00eden solicitudes GET con par\u00e1metros de host, ruta y puerto controlados para consultar servicios en el host o la red local de la instancia, lo que permite ataques SSRF ciegos. Esto se ha corregido en la versi\u00f3n 2.8.1."}], "id": "CVE-2025-54590", "lastModified": "2025-08-04T15:06:15.833", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-01T18:15:55.577", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a"}, {"source": "security-advisories@github.com", "url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}