AIKIDO-2026-11097
@fedify/vocab-runtime is vulnerable to Server-Side Request Forgery (SSRF)
54
Medium Risk
This Affects:
@fedify/vocab-runtimeTL;DR
The validatePublicUrl() function in the document loader applies an incomplete denylist of non-public IP ranges when validating remote URLs. Special-use IPv4 ranges such as shared address space, benchmarking, multicast, reserved, and documentation ranges, and IPv6 translation and tunneling prefixes such as NAT64, Teredo, and 6to4 are not rejected, so a URL pointing at these addresses passes the public-address check. Because the check runs before fetching remote ActivityPub documents and keys, an attacker who can influence a fetched URL can bypass the private-network protection and reach internal or special-use network resources. The fix replaces the checks with CIDR-based matching that rejects these special-use IPv4 ranges and IPv6 tunneling prefixes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@fedify/vocab-runtime is vulnerable to Server-Side Request Forgery (SSRF) in versions 2.0.0 - 2.0.18, 2.1.0 - 2.1.14 and 2.2.0 - 2.2.3.
How to fix this
Upgrade the @fedify/vocab-runtime library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant