Fedify security updates: 1.9.13, 1.10.12, 2.0.22, 2.1.18, 2.2.7, and 2.3.2 #954
dahlia
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
If you use Fedify, update to a patched release now. CVE-2026-62857 affects Fedify's NodeInfo client. An attacker who runs any instance your server looks up could cause that server to fetch non-public network destinations and return their contents to your application, depending on the deployment environment and network routing.
Fedify can look up a remote instance's NodeInfo document to learn what software it runs. The lookup happens in two steps: it fetches the instance's
/.well-known/nodeinfodocument, then follows the NodeInfo document URL that response advertises. The vulnerable path isgetNodeInfo(), along with theContext.lookupNodeInfo()method that wraps it: affected versions sent both requests without validating the destination against public-network expectations. Because that second URL comes straight out of the remote server's response body, the instance being looked up fully controls it, and could point it at a loopback address, a link-local metadata endpoint, an RFC 1918 host, or adata:URL. Servers are exposed only if they look up NodeInfo, but that lookup is routine for peer discovery and instance metadata.The fix routes both requests through the same public-address validation Fedify already applied to WebFinger lookups and remote document loading. Every request is now checked before it is sent, including each redirect hop, so a public URL cannot bounce a request to an internal address. Redirects are followed with a cap and are refused if they cross protocols, and non-HTTP(S) URLs such as
data:are rejected outright.These are patch releases, so they tighten behavior without adding new API. If you deliberately look up NodeInfo on a private or intranet address, such as in a closed federation or a test environment, these releases will now refuse it. An
allowPrivateAddressopt-out is coming in 2.4.0.Current patched releases are 1.9.13, 1.10.12, 2.0.22, 2.1.18, 2.2.7, and 2.3.2. The GitHub Security Advisory is GHSA-hqph-j65v-8cq5, and the CVE ID is CVE-2026-62857.
Update
@fedify/fedify:After updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to @rvzsec and @manus-use for the report and responsible disclosure.
If anything is unclear, ask below.
Beta Was this translation helpful? Give feedback.
All reactions