Threat Advisory

Fedify Incomplete SSRF Mitigation Allows Special-Use IPv4 Ranges

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50131 with a CVSS score of 8.6 is a vulnerability in Fedify that allows special-use IPv4 ranges due to an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx, specifically in the `validatePublicUrl` function responsible for deciding whether a destination is public, which returns true for address ranges that are not globally routable public internet destinations. This flaw type can be exploited via the environment template management API by sending specially crafted IPv4 addresses to the `isValidPublicIPv4Address` function, which incorrectly allows multiple special-use ranges, including Carrier-grade NAT, Benchmarking / internal testing networks, Multicast, Reserved, IETF protocol assignments, Documentation range, and others. This vulnerability has a high business impact as it can be used by attackers to bypass the previous SSRF mitigation and potentially access sensitive data or perform unauthorized actions. The affected versions include @fedify/fedify: >= 0.11.2, < 1.9.12, @fedify/fedify: >= 1.10.0, < 1.10.11, @fedify/fedify: >= 2.0.0, < 2.0.19, @fedify/fedify: >= 2.1.0, < 2.1.15, and @fedify/fedify: >= 2.2.0, < 2.2.4, as well as @fedify/vocab-runtime: < 2.0.19.

RECOMMENDATIONS:

  • We recommend you to update Fedify to version 1.9.12, 1.10.11, 2.0.19, 2.1.15, 2.2.4.
  • We recommend you to update @fedify/vocab-runtime to version 2.0.19, 2.1.15, or 2.2.4.

REFERENCES:

The following reports contain further technical details:[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50131 with a CVSS score of 8.6 is a vulnerability in Fedify that allows special-use IPv4 ranges due to an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx, specifically in the `validatePublicUrl` function responsible for deciding whether a destination is public, which returns true for address ranges that are not globally routable public internet destinations. This flaw type can be exploited via the environment template management API by sending specially crafted IPv4 addresses to the `isValidPublicIPv4Address` function, which incorrectly allows multiple special-use ranges, including Carrier-grade NAT, Benchmarking / internal testing networks, Multicast, Reserved, IETF protocol assignments, Documentation range, and others. This vulnerability has a high business impact as it can be used by attackers to bypass the previous SSRF mitigation and potentially access sensitive data or perform unauthorized actions. The affected versions include @fedify/fedify: >= 0.11.2, < 1.9.12, @fedify/fedify: >= 1.10.0, < 1.10.11, @fedify/fedify: >= 2.0.0, < 2.0.19, @fedify/fedify: >= 2.1.0, < 2.1.15, and @fedify/fedify: >= 2.2.0, < 2.2.4, as well as @fedify/vocab-runtime: < 2.0.19.

RECOMMENDATIONS:

  • We recommend you to update Fedify to version 1.9.12, 1.10.11, 2.0.19, 2.1.15, 2.2.4.
  • We recommend you to update @fedify/vocab-runtime to version 2.0.19, 2.1.15, or 2.2.4.

REFERENCES:

The following reports contain further technical details:[emaillocker id="1283"]

[/emaillocker]
crossmenu