CVE-2025-54590

Name of the Vulnerable Software and Affected Versions webfinger.js versions 2.8.0 and below

Description webfinger.js is a TypeScript-based WebFinger client used in browser and Node.js environments. The lookup function does not prevent access to localhost services, only checking for hosts that start with "localhost" and end with a port. This allows attackers to perform blind Server-Side Request Forgery (SSRF) attacks by sending GET requests with controlled host, path, and port parameters to query services on the instance's host or local network.

Recommendations Update to version 2.8.1 or later.