CVE-2025-23221

Name of the Vulnerable Software and Affected Versions Fedify versions prior to 1.0.14 Fedify versions prior to 1.1.11 Fedify versions prior to 1.2.11 Fedify versions prior to 1.3.4

Description This issue allows a user to manipulate the Webfinger mechanism, performing a GET request to any internal resource on any Host, Port, URL combination, regardless of present security mechanisms. This can force the victim's server into an infinite loop, causing Denial of Service. Additionally, it can be manipulated to perform a Blind SSRF attack. The lookupWebFinger function is vulnerable, and the getActorHandle function is a wrapper for the vulnerable lookupWebFinger function. The custom redirect implementation in the lookupWebFingerInternal function contains issues, including an endless redirect loop and the possibility of a Blind SSRF attack to any URL with arbitrary Host, Port, and Path.

Recommendations For Fedify versions prior to 1.0.14, update to version 1.0.14 or later. For Fedify versions prior to 1.1.11, update to version 1.1.11 or later. For Fedify versions prior to 1.2.11, update to version 1.2.11 or later. For Fedify versions prior to 1.3.4, update to version 1.3.4 or later. As a temporary workaround, consider disabling the lookupWebFinger function until a patch is available. Restrict access to the vulnerable getActorHandle function to minimize the risk of exploitation. Avoid using the actorId parameter in the affected API endpoint until the issue is resolved.