Loading CHANGES.md +104 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,43 @@ To be released. [#313]: https://github.com/fedify-dev/fedify/issues/313 Version 1.8.5 ------------- Released on August 8, 2025. ### @fedify/fedify - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] ### @fedify/cli - Fixed `fedify nodeinfo` color support in Windows Terminal. [[#358], [#360] by KeunHyeong Park] [#358]: https://github.com/fedify-dev/fedify/issues/358 [#360]: https://github.com/fedify-dev/fedify/pull/360 Version 1.8.4 ------------- Released on August 7, 2025. ### @fedify/cli - Fixed `fedify lookup` command's `-r`/`--raw`, `-C`/`--compact`, and `-e`/`--expand` options to properly output valid JSON format instead of Deno's object inspection format. [[#357]] [#357]: https://github.com/fedify-dev/fedify/issues/357 Version 1.8.3 ------------- Loading Loading @@ -274,6 +311,19 @@ the versioning. [iTerm]: https://iterm2.com/ Version 1.7.9 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.7.8 ------------- Loading Loading @@ -399,6 +449,19 @@ Released on June 25, 2025. [#252]: https://github.com/fedify-dev/fedify/pull/252 Version 1.6.8 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.6.7 ------------- Loading Loading @@ -527,6 +590,19 @@ the versioning. [#242]: https://github.com/fedify-dev/fedify/pull/242 Version 1.5.5 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.5.4 ------------- Loading Loading @@ -701,6 +777,19 @@ Released on March 28, 2025. [multibase]: https://github.com/multiformats/js-multibase Version 1.4.13 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.4.12 -------------- Loading Loading @@ -950,6 +1039,21 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.20 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] [CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4 Version 1.3.19 -------------- Loading packages/cli/src/lookup.ts +4 −2 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ import ora from "ora"; import { getContextLoader, getDocumentLoader } from "./docloader.ts"; import { renderImages } from "./imagerenderer.ts"; import { spawnTemporaryServer, type TemporaryServer } from "./tempserver.ts"; import { colorEnabled, formatCliObjectOutputWithColor } from "./utils.ts"; import { colorEnabled, formatObject } from "./utils.ts"; const logger = getLogger(["fedify", "cli", "lookup"]); Loading Loading @@ -113,6 +113,7 @@ export async function writeObjectToStream( try { let content; let json = true; let imageUrls: URL[] = []; if (options.raw) { Loading @@ -123,10 +124,11 @@ export async function writeObjectToStream( content = await object.toJsonLd({ format: "expand", contextLoader }); } else { content = object; json = false; } const enableColors = colorEnabled && options.output === undefined; content = formatCliObjectOutputWithColor(content, enableColors); content = formatObject(content, enableColors, json); const encoder = new TextEncoder(); const bytes = encoder.encode(content + "\n"); Loading packages/cli/src/nodeinfo.ts +11 −5 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ import * as colors from "@std/fmt/colors"; import { isICO, parseICO } from "icojs"; import { defaultFormats, defaultPlugins, intToRGBA } from "jimp"; import ora from "ora"; import { formatCliObjectOutputWithColor, printJson } from "./utils.ts"; import { formatObject } from "./utils.ts"; const logger = getLogger(["fedify", "cli", "nodeinfo"]); Loading Loading @@ -62,7 +62,7 @@ export const command = new Command() Deno.exit(1); } spinner.succeed("NodeInfo document fetched."); printJson(nodeInfo); console.log(formatObject(nodeInfo, undefined, true)); return; } const nodeInfo = await getNodeInfo(url, { Loading Loading @@ -212,9 +212,7 @@ export const command = new Command() for (const [key, value] of Object.entries(nodeInfo.metadata)) { layout[next()] += ` ${colors.dim(key + ":")} ${ indent( typeof value === "string" ? value : formatCliObjectOutputWithColor(value), typeof value === "string" ? value : formatObject(value), defaultWidth + 4 + key.length, ) }`; Loading Loading @@ -301,6 +299,14 @@ function checkTerminalColorSupport(): "truecolor" | "256color" | "none" { return "256color"; } // Check for Windows Terminal support // FIXME: WT_SESSION is not a reliable way to check for Windows Terminal support const isWindows = Deno.build.os === "windows"; const isWT = Deno.env.get("WT_SESSION"); if (isWindows && isWT != null && isWT !== "") { return "truecolor"; } return "none"; } Loading packages/cli/src/utils.ts +8 −7 Original line number Diff line number Diff line import { highlight } from "cli-highlight"; export function printJson(json: unknown): void { const formatted = JSON.stringify(json, null, 2); console.log(highlight(formatted, { language: "json" })); } export const colorEnabled: boolean = Deno.stdout.isTerminal() && !Deno.env.has("NO_COLOR"); export function formatCliObjectOutputWithColor( export function formatObject( obj: unknown, colors?: boolean, json?: boolean, ): string { const enableColors = colors ?? colorEnabled; return Deno.inspect(obj, { colors: enableColors }); if (!json) return Deno.inspect(obj, { colors: enableColors }); const formatted = JSON.stringify(obj, null, 2); if (enableColors) { return highlight(formatted, { language: "json" }); } return formatted; } packages/cli/src/webfinger.ts +2 −2 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ import { Command, ValidationError } from "@cliffy/command"; import { toAcctUrl } from "@fedify/fedify/vocab"; import { lookupWebFinger } from "@fedify/fedify/webfinger"; import ora from "ora"; import { printJson } from "./utils.ts"; import { formatObject } from "./utils.ts"; export const command = new Command() .arguments("<...resources:string>") Loading Loading @@ -40,7 +40,7 @@ export const command = new Command() new NotFoundError(resource).throw(); // throw NotFoundError if not found spinner.succeed(`WebFinger found for ${resource}:`); // Succeed the spinner printJson(webFinger); // Print the WebFinger console.log(formatObject(webFinger, undefined, true)); // Print the WebFinger } catch (error) { if (error instanceof InvalidHandleError) { // If the handle format is invalid, spinner.fail(`Invalid handle format: ${error.handle}`); // log error message with handle Loading Loading
CHANGES.md +104 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,43 @@ To be released. [#313]: https://github.com/fedify-dev/fedify/issues/313 Version 1.8.5 ------------- Released on August 8, 2025. ### @fedify/fedify - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] ### @fedify/cli - Fixed `fedify nodeinfo` color support in Windows Terminal. [[#358], [#360] by KeunHyeong Park] [#358]: https://github.com/fedify-dev/fedify/issues/358 [#360]: https://github.com/fedify-dev/fedify/pull/360 Version 1.8.4 ------------- Released on August 7, 2025. ### @fedify/cli - Fixed `fedify lookup` command's `-r`/`--raw`, `-C`/`--compact`, and `-e`/`--expand` options to properly output valid JSON format instead of Deno's object inspection format. [[#357]] [#357]: https://github.com/fedify-dev/fedify/issues/357 Version 1.8.3 ------------- Loading Loading @@ -274,6 +311,19 @@ the versioning. [iTerm]: https://iterm2.com/ Version 1.7.9 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.7.8 ------------- Loading Loading @@ -399,6 +449,19 @@ Released on June 25, 2025. [#252]: https://github.com/fedify-dev/fedify/pull/252 Version 1.6.8 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.6.7 ------------- Loading Loading @@ -527,6 +590,19 @@ the versioning. [#242]: https://github.com/fedify-dev/fedify/pull/242 Version 1.5.5 ------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.5.4 ------------- Loading Loading @@ -701,6 +777,19 @@ Released on March 28, 2025. [multibase]: https://github.com/multiformats/js-multibase Version 1.4.13 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] Version 1.4.12 -------------- Loading Loading @@ -950,6 +1039,21 @@ Released on February 5, 2025. [#195]: https://github.com/fedify-dev/fedify/issues/195 Version 1.3.20 -------------- Released on August 8, 2025. - Fixed a critical authentication bypass vulnerability in the inbox handler that allowed unauthenticated attackers to impersonate any ActivityPub actor. The vulnerability occurred because activities were processed before verifying that the HTTP Signatures key belonged to the claimed actor. Now authentication verification is performed before activity processing to prevent actor impersonation attacks. [[CVE-2025-54888]] [CVE-2025-54888]: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4 Version 1.3.19 -------------- Loading
packages/cli/src/lookup.ts +4 −2 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ import ora from "ora"; import { getContextLoader, getDocumentLoader } from "./docloader.ts"; import { renderImages } from "./imagerenderer.ts"; import { spawnTemporaryServer, type TemporaryServer } from "./tempserver.ts"; import { colorEnabled, formatCliObjectOutputWithColor } from "./utils.ts"; import { colorEnabled, formatObject } from "./utils.ts"; const logger = getLogger(["fedify", "cli", "lookup"]); Loading Loading @@ -113,6 +113,7 @@ export async function writeObjectToStream( try { let content; let json = true; let imageUrls: URL[] = []; if (options.raw) { Loading @@ -123,10 +124,11 @@ export async function writeObjectToStream( content = await object.toJsonLd({ format: "expand", contextLoader }); } else { content = object; json = false; } const enableColors = colorEnabled && options.output === undefined; content = formatCliObjectOutputWithColor(content, enableColors); content = formatObject(content, enableColors, json); const encoder = new TextEncoder(); const bytes = encoder.encode(content + "\n"); Loading
packages/cli/src/nodeinfo.ts +11 −5 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ import * as colors from "@std/fmt/colors"; import { isICO, parseICO } from "icojs"; import { defaultFormats, defaultPlugins, intToRGBA } from "jimp"; import ora from "ora"; import { formatCliObjectOutputWithColor, printJson } from "./utils.ts"; import { formatObject } from "./utils.ts"; const logger = getLogger(["fedify", "cli", "nodeinfo"]); Loading Loading @@ -62,7 +62,7 @@ export const command = new Command() Deno.exit(1); } spinner.succeed("NodeInfo document fetched."); printJson(nodeInfo); console.log(formatObject(nodeInfo, undefined, true)); return; } const nodeInfo = await getNodeInfo(url, { Loading Loading @@ -212,9 +212,7 @@ export const command = new Command() for (const [key, value] of Object.entries(nodeInfo.metadata)) { layout[next()] += ` ${colors.dim(key + ":")} ${ indent( typeof value === "string" ? value : formatCliObjectOutputWithColor(value), typeof value === "string" ? value : formatObject(value), defaultWidth + 4 + key.length, ) }`; Loading Loading @@ -301,6 +299,14 @@ function checkTerminalColorSupport(): "truecolor" | "256color" | "none" { return "256color"; } // Check for Windows Terminal support // FIXME: WT_SESSION is not a reliable way to check for Windows Terminal support const isWindows = Deno.build.os === "windows"; const isWT = Deno.env.get("WT_SESSION"); if (isWindows && isWT != null && isWT !== "") { return "truecolor"; } return "none"; } Loading
packages/cli/src/utils.ts +8 −7 Original line number Diff line number Diff line import { highlight } from "cli-highlight"; export function printJson(json: unknown): void { const formatted = JSON.stringify(json, null, 2); console.log(highlight(formatted, { language: "json" })); } export const colorEnabled: boolean = Deno.stdout.isTerminal() && !Deno.env.has("NO_COLOR"); export function formatCliObjectOutputWithColor( export function formatObject( obj: unknown, colors?: boolean, json?: boolean, ): string { const enableColors = colors ?? colorEnabled; return Deno.inspect(obj, { colors: enableColors }); if (!json) return Deno.inspect(obj, { colors: enableColors }); const formatted = JSON.stringify(obj, null, 2); if (enableColors) { return highlight(formatted, { language: "json" }); } return formatted; }
packages/cli/src/webfinger.ts +2 −2 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ import { Command, ValidationError } from "@cliffy/command"; import { toAcctUrl } from "@fedify/fedify/vocab"; import { lookupWebFinger } from "@fedify/fedify/webfinger"; import ora from "ora"; import { printJson } from "./utils.ts"; import { formatObject } from "./utils.ts"; export const command = new Command() .arguments("<...resources:string>") Loading Loading @@ -40,7 +40,7 @@ export const command = new Command() new NotFoundError(resource).throw(); // throw NotFoundError if not found spinner.succeed(`WebFinger found for ${resource}:`); // Succeed the spinner printJson(webFinger); // Print the WebFinger console.log(formatObject(webFinger, undefined, true)); // Print the WebFinger } catch (error) { if (error instanceof InvalidHandleError) { // If the handle format is invalid, spinner.fail(`Invalid handle format: ${error.handle}`); // log error message with handle Loading
