Allouis

**Name of the Vulnerable Software and Affected Versions** Fedify versions prior to 1.3.20 Fedify versions 1.4.0-dev.585 through 1.4.12 Fedify versions 1.5.0-dev.636 through 1.5.4 Fedify versions 1.6.0-dev.754 through 1.6.7 Fedify versions 1.7.0-pr.251.885 through 1.7.8 Fedify versions 1.8.0-dev.909 through 1.8.4 **Description** An authentication bypass vulnerability allows an unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. The vulnerability exists in the `handleInboxInternal` function in `fedify/federation/handler.ts`, where activity processing occurs before authentication checks. Specifically, the `routeActivity()` function is called before the `doesActorOwnKey()` authentication check. This allows malicious activities to be processed even with a key mismatch. **Recommendations** Update to Fedify version 1.3.20 or later. Update to Fedify version 1.4.13 or later. Update to Fedify version 1.5.5 or later. Update to Fedify version 1.6.8 or later. Update to Fedify version 1.7.9 or later. Update to Fedify version 1.8.5 or later.