Fedify 1.10.12
Released on July 15, 2026.
@fedify/fedify
- Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]