CVE-2024-39687

Name of the Vulnerable Software and Affected Versions Fedify versions prior to 0.9.2, 0.10.1, or 0.11.1

Description The issue is related to a Server Side Request Forgery attack. When Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send requests to resources internal to the Fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well.

Recommendations To resolve the issue, users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue. As a temporary workaround, consider restricting access to internal IP addresses to minimize the risk of exploitation. Restrict access to the fetch API to prevent unauthorized requests to internal resources. Avoid using the @id parameter in the affected API endpoint until the issue is resolved.