Vulnerability Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
- https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
- https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
- https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
- https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
- https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
FAQ
What is CVE-2024-39687?
CVE-2024-39687 is a vulnerability with a CVSS score of 7.2 (HIGH). Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub ...
How severe is CVE-2024-39687?
CVE-2024-39687 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-39687?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.