Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.
Published: 2026-06-10
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fedify is a TypeScript library for federated server applications. Its runtime document and media fetching functions perform a public‑URL validation step to prevent SSRF attacks. The validator relies on an IPv4 address routine that blocks private ranges but mistakenly accepts several special‑use, reserved, multicast and carrier‑grade NAT ranges as valid public destinations. This incomplete mitigation allows an attacker to craft URLs that resolve to internal or otherwise restricted IP addresses, potentially exposing internal network resources, credentials or sensitive data. The vulnerability can be leveraged whenever the library creates outbound HTTP(S) connections, giving an attacker possible access to confidential services, data leakage or further pivoting opportunities.

Affected Systems

The affected products are fedify and vocab-runtime from fedify-dev. Versions from 0.11.2 up to but excluding the patched releases 1.9.12, 1.10.11, 2.0.19, 2.1.15 and 2.2.4 contain the flaw. Users running any of these releases should update to a newer patch level that contains the corrected IP‑range validation.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. EPSS is not available, but the lack of a KEV listing and the public nature of the flaw suggest that exploitation may be limited to environments where the application exposes functions that trigger network fetches. Attackers who can control or inject URLs into the library’s fetch mechanisms could exploit the bypass to initiate requests to internal infrastructure, enabling data exfiltration, privilege escalation, or further lateral movement. The incomplete validation creates a persistent SSC risk until the proper patch or mitigation is applied.

Generated by OpenCVE AI on June 10, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fedify and vocab-runtime to a version newer than 1.9.12 (or 1.10.11, 2.0.19, 2.1.15, or 2.2.4) that contains the fixed IP‑range validation.
  • If an immediate upgrade is not possible, restrict outbound traffic from the application server to a whitelist of trusted domains or use a proxy to enforce network isolation.
  • Validate all URLs before passing them to the library for fetching, ensuring that special‑use and reserved IP ranges are explicitly rejected.

Generated by OpenCVE AI on June 10, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.
Title Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
Weaknesses CWE-1286
CWE-1389
CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:27:43.370Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50131

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:01.543

Modified: 2026-06-10T22:17:01.543

Link: CVE-2026-50131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses