CVE-2025-54888

Name of the Vulnerable Software and Affected Versions Fedify versions prior to 1.3.20 Fedify versions 1.4.0-dev.585 through 1.4.12 Fedify versions 1.5.0-dev.636 through 1.5.4 Fedify versions 1.6.0-dev.754 through 1.6.7 Fedify versions 1.7.0-pr.251.885 through 1.7.8 Fedify versions 1.8.0-dev.909 through 1.8.4

Description An authentication bypass vulnerability allows an unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. The vulnerability exists in the handleInboxInternal function in fedify/federation/handler.ts, where activity processing occurs before authentication checks. Specifically, the routeActivity() function is called before the doesActorOwnKey() authentication check. This allows malicious activities to be processed even with a key mismatch.

Recommendations Update to Fedify version 1.3.20 or later. Update to Fedify version 1.4.13 or later. Update to Fedify version 1.5.5 or later. Update to Fedify version 1.6.8 or later. Update to Fedify version 1.7.9 or later. Update to Fedify version 1.8.5 or later.