CVE-2026-50131

HIGH EPSS 18.5%
Published Jun 10, 20263w ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Jun 10, 2026 3w ago
Last Modified Jun 17, 2026 2w ago

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.

CVSS Details

Base Score
8.6
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
18.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 3

CWE-1286
CWE-1389
CWE-918 Server-Side Request Forgery (SSRF) Validation

References 1

  • github.com https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.