Skip to content

Fedify 1.10.12

Choose a tag to compare

@github-actions github-actions released this 15 Jul 03:47
1.10.12
a9fdf26

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]