EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
webfinger.jsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Description
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test.
In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/...” paths:
if (address.indexOf('://') > -1) {
// other uri format
host = address.replace(/ /g,'').split('/')[2];
} else {
// useraddress
host = address.replace(/ /g,'').split('@')[1];
}
var uri_index = 0; // track which URIS we've tried already
var protocol = 'https'; // we use https by default
if (self.__isLocalhost(host)) {
protocol = 'http';
}
function __buildURL() {
var uri = '';
if (! address.split('://')[1]) {
// the URI has not been defined, default to acct
uri = 'acct:';
}
return protocol + '://' + host + '/.well-known/' +URIS[uri_index] + '?resource=' + uri + address;
}
If the address is in the format of a user address ([email protected]), the host will be anything after the first found @ symbol. Since no other test is done, an adversary may pass a specially crafted address such as user@localhost:7000/admin/restricted_page? and reach pages that would normally be out of reach. In this example, the code would treat localhost:7000/admin/restricted_page? as the host, and the created URL would be https://localhost:7000/admin/restricted_page?/.well-known/webfinger?resource=acct:use r@localhost:7000/admin/restricted_page?. A server listening on localhost:7000 will then parse the request as a GET request for the page /admin/restricted_page with the query string /.well-known/webfinger?resource=acct:user@localhost:7000/admin/restricted_page?.
PoC and Steps to reproduce
This PoC assumes that there is a server on the machine listening on port 3000, which receives requests for WebFinger lookups on the address /api/v1/search_user, and then calls the lookup function in webfinger.js with the user passed as an argument. For the sake of the example we assume that the server configured webfinger.js with tls_only=false.
- Activate a local HTTP server listening to port 1234 with a “secret.txt” file:
python3 -m http.server 1234
- Run the following command:
curl
"http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt
?"
- View the console of the Python’s HTTP server and see that a request for a “secret.txt?/.well-known/webfinger?resource=acct:user@localhost:1234/secret.txt ?” file was performed. This proves that we can redirect the URL to any domain and path we choose, including localhost and the internal LAN.
Impact
Due to this issue, any user can cause a server using the library to send GET requests with controlled host, path and port in an attempt to query services running on the instance’s host or local network, and attempt to execute a Blind-SSRF gadget in hope of targeting a known vulnerable local service running on the victim’s machine.
References
The vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | webfinger.js | all versions | 2.8.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for webfinger.js. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update webfinger.js to 2.8.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8xq3-w9fx-74rv is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8xq3-w9fx-74rv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-8xq3-w9fx-74rv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-8xq3-w9fx-74rv in your dependencies?
O3 detects GHSA-8xq3-w9fx-74rv across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.