Skip to content

Fedify 1.9.13

Choose a tag to compare

@github-actions github-actions released this 15 Jul 03:44
1.9.13
6220cf8

Released on July 15, 2026.

@fedify/fedify

  • Fixed a server-side request forgery (SSRF) vulnerability in the getNodeInfo() function and the Context.lookupNodeInfo() method, where the NodeInfo document URL advertised in a remote server's /.well-known/nodeinfo response was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to a data: URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857]