Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-50131— Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

CVSS 8.6 · High EPSS 0.27% · P18

Possible ATT&CK Techniques 1AI

T1041 · Exfiltration Over C2 Channel

Affected Version Matrix 8

VendorProductVersion RangeStatus
fedify-devfedify>= 0.11.2, < 1.9.12affected
>= 1.10.0, < 1.10.11affected
>= 2.0.0, < 2.0.19affected
>= 2.1.0, < 2.1.15affected
>= 2.2.0, < 2.2.4affected
fedify-devvocab-runtime< 2.0.19affected
>= 2.1.0, < 2.1.15affected
>= 2.2.0, < 2.2.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50131

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fedify 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fedify是Hong Minhee个人开发者的一个 TypeScript 库。用于构建由 ActivityPub 和其他标准支持的联邦服务器应用程序。 Fedify 1.9.12之前版本、1.10.11之前版本、2.0.19之前版本、2.1.15之前版本和2.2.4之前版本存在代码问题漏洞,该漏洞源于IPv4验证逻辑不完整,isValidPublicIPv4Address函数未阻止特殊用途、保留、多播、基准测试和运营商级NAT IPv4范围,导致SSRF绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
fedify-devfedify >= 0.11.2, < 1.9.12 -
fedify-devvocab-runtime < 2.0.19 -

II. Public POCs for CVE-2026-50131

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9452 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-50131

登录查看更多情报信息。

Vendor Advisories for CVE-2026-50131 (1)

IV. Related Vulnerabilities

Same product: fedify
Same vendor: fedify-dev
Same weakness: CWE-918

V. Comments for CVE-2026-50131

No comments yet

Leave a comment