Product
Fedify's `validatePublicUrl()` function, intended to mitigate Server-Side Request Forgery (SSRF), contains an incomplete IPv4 validation logic. It incorrectly treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations, allowing an attacker to bypass the SSRF protection and cause the Fedify server to initiate requests to internal or non-public network ranges when processing attacker-controlled ActivityPub object, activity, document, or media URLs.