AIKIDO-2025-10539

@fedify/fedify is vulnerable to Improper Authentication

Improper AuthenticationCVE-2025-54888

High Risk

This Affects:

@fedify/fedify

0.0.1 - 1.3.19

Fixed in 1.3.20

1.4.0 - 1.4.12

Fixed in 1.4.13

1.5.0 - 1.5.4

Fixed in 1.5.5

1.6.0 - 1.6.7

Fixed in 1.6.8

1.7.0 - 1.7.8

Fixed in 1.7.9

1.8.0 - 1.8.4

Fixed in 1.8.5

TL;DR

Affected versions of this package are vulnerable to authentication bypass in the inbox handler, allowing unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability arises because activity messages are processed before verifying that the HTTP Signature key belongs to the claimed actor. This flaw enables actor impersonation. The patched version mitigates the issue by performing authentication checks before processing activities.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@fedify/fedify is vulnerable to Improper Authentication in versions 1.8.0 - 1.8.4, 1.7.0 - 1.7.8, 1.6.0 - 1.6.7, 1.5.0 - 1.5.4, 1.4.0 - 1.4.12 and 0.0.1 - 1.3.19.