@fedify/fedify 0.8.0-dev.152
@fedify/fedify has Improper Authentication and Incorrect Authorization
high severity CVE-2025-54888< 1.3.20
Summary
An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances
Details
The vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:
- Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)
- Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing
// fedify/federation/handler.ts:1712-1750
const routeResult = await routeActivity({ // ← Activity processed here
context: ctx,
json,
activity,
recipient,
inboxListeners,
inboxContextFactory,
inboxErrorHandler,
kv,
kvPrefixes,
queue,
span,
tracerProvider,
});
if (
httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx) // ← Auth check too late
) {
// Returns 401, but activity already processed
return new Response("The signer and the actor do not match.", {
status: 401,
headers: { "Content-Type": "text/plain; charset=utf-8" },
});
}
By the time the 401 response is returned, the malicious activity has already been processed or queued.
PoC
- Create an activity claiming to be from any actor:
const maliciousActivity = {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Create",
"actor": "https://victim.example.com/users/alice", // Impersonating victim
"object": {
"type": "Note",
"content": "This is a forged message!"
}
}
- Sign the HTTP request with attacker's key (not the victim's):
// Sign with attacker's key: https://attacker.com/users/eve#main-key
const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);
- Send to any Fedify inbox - the activity will be processed despite the key mismatch.
Impact
Type: Authentication Bypass / Actor Impersonation
Who is impacted: All Fedify instances and their users
Consequences: Allows complete impersonation of any ActivityPub actor, enabling:
- Sending fake posts/messages as any user
- Creating/removing follows as any user
- Boosting/sharing content as any user
- Complete compromise of federation trust model
The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations (Mastodon, etc.) which properly validate before processing.
Server Side Request Forgery (SSRF) attack in Fedify
medium severity CVE-2024-39687< 0.9.2
Summary
At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network.
This applies to not just resolution of documents containing activities or objects, but also to media URLs as well.
Specifically this is a Server Side Request Forgery attack. You can learn more about SSRF attacks via CWE-918
Details
When Fedify makes a request at runtime via the DocLoader [1] [2], the fetch API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public.
Additionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a hostname part. Whilst the fetch() specification may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using data: URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav.
[1] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141 [2] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175
Deno-specific Attack Vectors
In Deno specifically, the fetch() API allows accessing local filesystem, I'm not sure how Deno's Permissions model may prevent attacks utilising file: URIs.
Fetch also supports fetching from file URLs to retrieve static files. For more info on static files, see the filesystem API documentation.
ActivityPub Security Considerations
This is also noted in the ActivityPub spec in Section B.3 Security Considerations, however, there it is more limited in scope.
Other Implementations
It may be acceptable to allow a server operator to allow access to given non-public IP addresses, for instance in Mastodon they allow requests to non-public IP addresses, i.e., localhost in development and those in the ALLOWED_PRIVATE_ADDRESSES environment variable.
PoC
I'm not sure a PoC is necessary given this is a reasonably well known vulnerability vector.
Impact
This impacts server operates, as resources that are internal to their network may find themselves being improperly accessed or potentially even attacked or exposed to the public.
Notes for resolution:
When implementing public IP address validation, be careful of CWE-1389 and CWE-1286 both of which recently caused a CVE to be filed against the popular node.js ip package, although this package was not originally intended for security purposes.
No license issues detected.
This package version has a license in the source code.
This package version is available.
This package version has not been yanked and is still available for usage.