<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Fedify/Vocab-Runtime (Versions &lt; 2.0.19) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@fedify/vocab-runtime-versions--2.0.19/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:20:16 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@fedify/vocab-runtime-versions--2.0.19/feed.xml" rel="self" type="application/rss+xml"/><item><title>Fedify SSRF Mitigation Bypass via Incomplete IPv4 Validation (CVE-2026-50131)</title><link>https://feed.craftedsignal.io/briefs/2026-07-fedify-ssrf-bypass/</link><pubDate>Tue, 14 Jul 2026 19:20:16 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-fedify-ssrf-bypass/</guid><description>Fedify's `validatePublicUrl()` function, intended to mitigate Server-Side Request Forgery (SSRF), contains an incomplete IPv4 validation logic. It incorrectly treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations, allowing an attacker to bypass the SSRF protection and cause the Fedify server to initiate requests to internal or non-public network ranges when processing attacker-controlled ActivityPub object, activity, document, or media URLs.</description><content:encoded><![CDATA[<p>A recently disclosed vulnerability, CVE-2026-50131, impacts Fedify's Server-Side Request Forgery (SSRF) protection mechanism. Following an earlier SSRF fix (GHSA-p9cg-vqcc-grcx), Fedify introduced <code>validatePublicUrl()</code> to ensure outbound fetches are directed only to public URLs. However, the underlying <code>isValidPublicIPv4Address()</code> function contains an incomplete implementation for identifying non-public IPv4 address ranges. While it correctly blocks common private ranges like <code>10.0.0.0/8</code> and <code>192.168.0.0/16</code>, it fails to classify several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges (e.g., <code>100.64.0.0/10</code>, <code>198.18.0.0/15</code>, <code>224.0.0.0/4</code>, <code>240.0.0.0/4</code>) as non-public. This flaw allows an attacker to craft specific ActivityPub object, activity, document, or media URLs that, when processed by a vulnerable Fedify instance, can force the server to make outbound connections to internal or restricted network segments, bypassing the intended SSRF protection. This issue affects various versions of <code>@fedify/fedify</code> and <code>@fedify/vocab-runtime</code>, posing a significant risk for internal network reconnaissance and potential access to sensitive services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious ActivityPub object, activity, document, or media URL (e.g., <code>http://100.64.0.1/internal_service_endpoint</code>) that embeds an IP address from one of the incorrectly validated special-use IPv4 ranges.</li>
<li>The attacker delivers this malicious URL to a vulnerable Fedify instance through a legitimate input channel, such as publishing an ActivityPub post or updating a profile that the Fedify server is configured to fetch.</li>
<li>The Fedify server begins processing the received ActivityPub content, triggering its internal logic to fetch the remote URL specified by the attacker.</li>
<li>Before making the outbound request, the Fedify server's <code>validatePublicUrl()</code> function invokes <code>isValidPublicIPv4Address()</code> to determine if the destination IP is public.</li>
<li>Due to the incomplete validation logic in <code>isValidPublicIPv4Address()</code>, the attacker-specified special-use IPv4 address (e.g., <code>100.64.0.1</code>) is incorrectly classified as a &quot;public&quot; destination.</li>
<li>Believing the destination to be public, the Fedify server proceeds to initiate an outbound network connection from its internal network to the attacker-controlled special-use IP address.</li>
<li>This outbound connection bypasses the intended SSRF protection, allowing the Fedify server to communicate with internal services or other non-public resources within the target's network that are reachable via the special-use IP range.</li>
<li>The attacker can then use this unauthorized connection to perform internal network reconnaissance, gather sensitive information, or interact with services not intended for external exposure, achieving goals like network mapping, data exfiltration, or unauthorized access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50131 allows attackers to bypass Fedify's SSRF protection, leading to severe consequences for the compromised organization. Attackers can force Fedify servers to initiate requests to internal network resources that should be inaccessible from external sources. This can facilitate internal network reconnaissance, allowing the attacker to map an organization's network topology and identify other vulnerable internal services. Depending on the network configuration and the specific services running, this could lead to unauthorized access to sensitive data, internal system compromise, or further lateral movement within the network. The vulnerability acts as a gateway to an organization's internal infrastructure, circumventing a critical security control.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-50131:</strong> Immediately update all <code>@fedify/fedify</code> and <code>@fedify/vocab-runtime</code> installations to versions that address CVE-2026-50131. Refer to the affected products list for specific patched versions.</li>
<li><strong>Implement Network Monitoring:</strong> Deploy the Sigma rule &quot;Detects CVE-2026-50131 Exploitation - Outbound Connection to Fedify SSRF Bypass Ranges&quot; to your SIEM. Configure network connection logging for all servers hosting Fedify to capture outbound connections, particularly those to the IOC IP addresses listed in this brief.</li>
<li><strong>Review Network Segmentation:</strong> Ensure robust network segmentation is in place to limit the impact of potential SSRF vulnerabilities, even if a bypass occurs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>incomplete-fix</category><category>bypass</category><category>network-access</category><category>vulnerability</category><category>fedify</category><category>npm</category></item></channel></rss>