{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@fedify/vocab-runtime-versions--2.0.19/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-50131"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fedify/fedify (versions \u003e= 0.11.2 \u003c 1.9.12)","@fedify/fedify (versions \u003e= 1.10.0 \u003c 1.10.11)","@fedify/fedify (versions \u003e= 2.0.0 \u003c 2.0.19)","@fedify/fedify (versions \u003e= 2.1.0 \u003c 2.1.15)","@fedify/fedify (versions \u003e= 2.2.0 \u003c 2.2.4)","@fedify/vocab-runtime (versions \u003c 2.0.19)","@fedify/vocab-runtime (versions \u003e= 2.1.0 \u003c 2.1.15)","@fedify/vocab-runtime (versions \u003e= 2.2.0 \u003c 2.2.4)"],"_cs_severities":["high"],"_cs_tags":["ssrf","incomplete-fix","bypass","network-access","vulnerability","fedify","npm"],"_cs_type":"advisory","_cs_vendors":["Fedify"],"content_html":"\u003cp\u003eA recently disclosed vulnerability, CVE-2026-50131, impacts Fedify's Server-Side Request Forgery (SSRF) protection mechanism. Following an earlier SSRF fix (GHSA-p9cg-vqcc-grcx), Fedify introduced \u003ccode\u003evalidatePublicUrl()\u003c/code\u003e to ensure outbound fetches are directed only to public URLs. However, the underlying \u003ccode\u003eisValidPublicIPv4Address()\u003c/code\u003e function contains an incomplete implementation for identifying non-public IPv4 address ranges. While it correctly blocks common private ranges like \u003ccode\u003e10.0.0.0/8\u003c/code\u003e and \u003ccode\u003e192.168.0.0/16\u003c/code\u003e, it fails to classify several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges (e.g., \u003ccode\u003e100.64.0.0/10\u003c/code\u003e, \u003ccode\u003e198.18.0.0/15\u003c/code\u003e, \u003ccode\u003e224.0.0.0/4\u003c/code\u003e, \u003ccode\u003e240.0.0.0/4\u003c/code\u003e) as non-public. This flaw allows an attacker to craft specific ActivityPub object, activity, document, or media URLs that, when processed by a vulnerable Fedify instance, can force the server to make outbound connections to internal or restricted network segments, bypassing the intended SSRF protection. This issue affects various versions of \u003ccode\u003e@fedify/fedify\u003c/code\u003e and \u003ccode\u003e@fedify/vocab-runtime\u003c/code\u003e, posing a significant risk for internal network reconnaissance and potential access to sensitive services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious ActivityPub object, activity, document, or media URL (e.g., \u003ccode\u003ehttp://100.64.0.1/internal_service_endpoint\u003c/code\u003e) that embeds an IP address from one of the incorrectly validated special-use IPv4 ranges.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious URL to a vulnerable Fedify instance through a legitimate input channel, such as publishing an ActivityPub post or updating a profile that the Fedify server is configured to fetch.\u003c/li\u003e\n\u003cli\u003eThe Fedify server begins processing the received ActivityPub content, triggering its internal logic to fetch the remote URL specified by the attacker.\u003c/li\u003e\n\u003cli\u003eBefore making the outbound request, the Fedify server's \u003ccode\u003evalidatePublicUrl()\u003c/code\u003e function invokes \u003ccode\u003eisValidPublicIPv4Address()\u003c/code\u003e to determine if the destination IP is public.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete validation logic in \u003ccode\u003eisValidPublicIPv4Address()\u003c/code\u003e, the attacker-specified special-use IPv4 address (e.g., \u003ccode\u003e100.64.0.1\u003c/code\u003e) is incorrectly classified as a \u0026quot;public\u0026quot; destination.\u003c/li\u003e\n\u003cli\u003eBelieving the destination to be public, the Fedify server proceeds to initiate an outbound network connection from its internal network to the attacker-controlled special-use IP address.\u003c/li\u003e\n\u003cli\u003eThis outbound connection bypasses the intended SSRF protection, allowing the Fedify server to communicate with internal services or other non-public resources within the target's network that are reachable via the special-use IP range.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this unauthorized connection to perform internal network reconnaissance, gather sensitive information, or interact with services not intended for external exposure, achieving goals like network mapping, data exfiltration, or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50131 allows attackers to bypass Fedify's SSRF protection, leading to severe consequences for the compromised organization. Attackers can force Fedify servers to initiate requests to internal network resources that should be inaccessible from external sources. This can facilitate internal network reconnaissance, allowing the attacker to map an organization's network topology and identify other vulnerable internal services. Depending on the network configuration and the specific services running, this could lead to unauthorized access to sensitive data, internal system compromise, or further lateral movement within the network. The vulnerability acts as a gateway to an organization's internal infrastructure, circumventing a critical security control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50131:\u003c/strong\u003e Immediately update all \u003ccode\u003e@fedify/fedify\u003c/code\u003e and \u003ccode\u003e@fedify/vocab-runtime\u003c/code\u003e installations to versions that address CVE-2026-50131. Refer to the affected products list for specific patched versions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Network Monitoring:\u003c/strong\u003e Deploy the Sigma rule \u0026quot;Detects CVE-2026-50131 Exploitation - Outbound Connection to Fedify SSRF Bypass Ranges\u0026quot; to your SIEM. Configure network connection logging for all servers hosting Fedify to capture outbound connections, particularly those to the IOC IP addresses listed in this brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Network Segmentation:\u003c/strong\u003e Ensure robust network segmentation is in place to limit the impact of potential SSRF vulnerabilities, even if a bypass occurs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:20:16Z","date_published":"2026-07-14T19:20:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-fedify-ssrf-bypass/","summary":"Fedify's `validatePublicUrl()` function, intended to mitigate Server-Side Request Forgery (SSRF), contains an incomplete IPv4 validation logic. It incorrectly treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations, allowing an attacker to bypass the SSRF protection and cause the Fedify server to initiate requests to internal or non-public network ranges when processing attacker-controlled ActivityPub object, activity, document, or media URLs.","title":"Fedify SSRF Mitigation Bypass via Incomplete IPv4 Validation (CVE-2026-50131)","url":"https://feed.craftedsignal.io/briefs/2026-07-fedify-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - @Fedify/Vocab-Runtime (Versions \u003c 2.0.19)","version":"https://jsonfeed.org/version/1.1"}