Fedify 2.3.2
Released on July 15, 2026.
@fedify/fedify
-
Fixed a server-side request forgery (SSRF) vulnerability in the
getNodeInfo()function and theContext.lookupNodeInfo()method, where the NodeInfo document URL advertised in a remote server's/.well-known/nodeinforesponse was fetched without checking that it points to a public address. A malicious server could direct the link to a loopback, link-local, or private address—or to adata:URL—causing Fedify to fetch internal resources and return their contents to the caller. Both requests, including any redirect hops, are now validated against private and non-public addresses, consistent with the protections already applied to WebFinger lookups and the built-in document loader. [CVE-2026-62857] -
Fixed custom collection dispatchers registered through
FederationBuilder.setCollectionDispatcher()andsetOrderedCollectionDispatcher()returning404 Not Foundafterbuild().build()now copies the collection callbacks and item types onto the built federation, so the registered routes dispatch their collections instead of being treated as unknown routes. [#849, #851 by ChanHaeng Lee] -
Fixed the outbound delivery circuit breaker retaining per-host state in the configured key–value store forever when a remote host never recovered. Circuit breaker state now receives a TTL on writes made with the default failure policy, custom failure policies can opt in with the new
stateTtloption, and stale state written by earlier 2.3 releases is cleared automatically on CAS-backed stores after upgrade, with another sweep after a grace window to cover rolling deployments. [#916, #917] -
Fixed split-origin WebFinger responses for
acct:aliases on the web origin host. When a local actor is queried through the server-originacct:alias, Fedify now returns the canonical handle-hostacct:URI as the JRDsubjectand keeps the queriedacct:URI inaliases. [#920, #921] -
Fixed the npm package published by CI/CD so it includes the Fedify agent skill at skills/fedify/SKILL.md. The package metadata already advertised the skill, and local
pnpm packbuilds included it, but the automated npm publish artifact skipped theprepackstep that materializes the symlinked skill directory before packing.
@fedify/vocab
- Fixed Activity Vocabulary parsing so malformed language tags in remote JSON-LD language maps no longer abort parsing with a
RangeError. Fedify now ignores only the malformed language-tagged value and continues parsing the rest of the object. [#847, #848]