Loading CHANGES.md +4 −1 Original line number Diff line number Diff line Loading @@ -6,9 +6,10 @@ Fedify changelog Version 1.0.14 -------------- To be released. Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to Loading @@ -24,6 +25,8 @@ To be released. could lead to a SSRF attack. Now it follows only the public network addresses. [CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx Version 1.0.13 -------------- Loading src/runtime/url.ts +7 −1 Original line number Diff line number Diff line import type { LookupAddress } from "node:dns"; import { lookup } from "node:dns/promises"; import { isIP } from "node:net"; Loading Loading @@ -38,7 +39,12 @@ export async function validatePublicUrl(url: string): Promise<void> { } // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: const addresses = await lookup(hostname, { all: true }); let addresses: LookupAddress[]; try { addresses = await lookup(hostname, { all: true }); } catch { addresses = []; } for (const { address, family } of addresses) { if ( family === 4 && !isValidPublicIPv4Address(address) || Loading Loading
CHANGES.md +4 −1 Original line number Diff line number Diff line Loading @@ -6,9 +6,10 @@ Fedify changelog Version 1.0.14 -------------- To be released. Released on January 21, 2025. - Fixed several security vulnerabilities of the `lookupWebFinger()` function. [[CVE-2025-23221]] - Fixed a security vulnerability where the `lookupWebFinger()` function had followed the infinite number of redirects, which could lead to Loading @@ -24,6 +25,8 @@ To be released. could lead to a SSRF attack. Now it follows only the public network addresses. [CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx Version 1.0.13 -------------- Loading
src/runtime/url.ts +7 −1 Original line number Diff line number Diff line import type { LookupAddress } from "node:dns"; import { lookup } from "node:dns/promises"; import { isIP } from "node:net"; Loading Loading @@ -38,7 +39,12 @@ export async function validatePublicUrl(url: string): Promise<void> { } // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses // and ensure that they are all public: const addresses = await lookup(hostname, { all: true }); let addresses: LookupAddress[]; try { addresses = await lookup(hostname, { all: true }); } catch { addresses = []; } for (const { address, family } of addresses) { if ( family === 4 && !isValidPublicIPv4Address(address) || Loading
