CVE-2025-54590
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| silverbucket | webfinger.js | 2.8.0 |
| silverbucket | webfinger.js | 2.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in webfinger.js versions 2.8.0 and below, where the lookup function does not properly prevent access to localhost services as required by the ActivityPub specification. The library only checks for hosts starting with "localhost" and ending with a port, but this is insufficient. Attackers can exploit this by creating servers that send GET requests with controlled host, path, and port parameters, allowing them to query services on the instance's host or local network. This results in blind Server-Side Request Forgery (SSRF) attacks. The issue is fixed in version 2.8.1.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform blind SSRF attacks by making the vulnerable application send unauthorized requests to localhost or internal network services. This can lead to unauthorized access or information disclosure from internal services that are not intended to be exposed externally, potentially compromising the security of the affected system or network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the webfinger.js library to version 2.8.1 or later, where the vulnerability preventing localhost access is fixed.