GHSA-p9cg-vqcc-grcx
HIGHServer Side Request Forgery (SSRF) attack in Fedify
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
@fedify/fedify📦@fedify/fedify📦@fedify/fedifyReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network.
This applies to not just resolution of documents containing activities or objects, but also to media URLs as well.
Specifically this is a Server Side Request Forgery attack. You can learn more about SSRF attacks via CWE-918
Details
When Fedify makes a request at runtime via the DocLoader [1] [2], the fetch API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public.
Additionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a hostname part. Whilst the fetch() specification may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using data: URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav.
[1] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141 [2] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175
Deno-specific Attack Vectors
In Deno specifically, the fetch() API allows accessing local filesystem, I'm not sure how Deno's Permissions model may prevent attacks utilising file: URIs.
Fetch also supports fetching from file URLs to retrieve static files. For more info on static files, see the filesystem API documentation.
ActivityPub Security Considerations
This is also noted in the ActivityPub spec in Section B.3 Security Considerations, however, there it is more limited in scope.
Other Implementations
It may be acceptable to allow a server operator to allow access to given non-public IP addresses, for instance in Mastodon they allow requests to non-public IP addresses, i.e., localhost in development and those in the ALLOWED_PRIVATE_ADDRESSES environment variable.
PoC
I'm not sure a PoC is necessary given this is a reasonably well known vulnerability vector.
Impact
This impacts server operates, as resources that are internal to their network may find themselves being improperly accessed or potentially even attacked or exposed to the public.
Notes for resolution:
When implementing public IP address validation, be careful of CWE-1389 and CWE-1286 both of which recently caused a CVE to be filed against the popular node.js ip package, although this package was not originally intended for security purposes.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @fedify/fedify | all versions | 0.9.2 |
| 📦npm | @fedify/fedify | ≥ 0.10.0&&< 0.10.2 | 0.10.2 |
| 📦npm | @fedify/fedify | ≥ 0.11.0&&< 0.11.2 | 0.11.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @fedify/fedify. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @fedify/fedify to 0.9.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p9cg-vqcc-grcx is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-p9cg-vqcc-grcx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-p9cg-vqcc-grcx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-p9cg-vqcc-grcx in your dependencies?
O3 detects GHSA-p9cg-vqcc-grcx across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.