Fedify 2.2.7
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921]
@fedify/vocab
- Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a
RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]