CVE-2025-25194

Name of the Vulnerable Software and Affected Versions: Lemmy versions 0.19.8 and prior activitypub federation versions 0.6.2 and prior

Description: The vulnerability allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. This is due to insufficient validation of requests on the server-side. An adversary can manipulate the Webfinger hard-coded URL, gaining full control over the GET request domain, path, and port by submitting malicious input. The estimated number of potentially affected devices worldwide is not specified.

The Webfinger endpoint takes a remote domain for checking accounts as a feature. However, the library attempts to prevent Localhost access using a mechanism that can be bypassed. There are multiple issues with the current anti-Localhost implementation, including not resolving the domain address supplied by the user, using a simple comparison method for the Localhost check, and filtering only localhost domains without regard for alternative local IP domains or other sensitive domains.

An adversary can cause unwanted behaviors using multiple techniques, including gaining control over the query's path, bypassing the domain's restriction using DNS resolving mechanism, and bypassing the domain's restriction using official Fully Qualified Domain Names (FQDNs).

Recommendations: For Lemmy versions 0.19.8 and prior, modify the domain validation mechanism to resolve the domain and validate it is not using any invalid IP address. Filter the user's input for any unwanted characters that should not be present on a domain name. Perform checks that make sure the desired request path is the executed path with the same port. Disable automatic HTTP redirect follows on the implemented client. For activitypub federation versions 0.6.2 and prior, apply the same modifications as mentioned above to prevent Server-Side Request Forgery via Webfinger Request. At the moment, there is no information about a newer version that contains a fix for this vulnerability.