CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-50131

CVE-2026-50131: Server-Side Request Forgery Validation Bypass in Fedify

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 14, 2026·8 min read·3 visits

Executive Summary (TL;DR)

Incomplete IP validation in Fedify enables unauthenticated remote attackers to bypass SSRF protections and access internal services by using CGNAT, benchmarking, and IPv6 transition IP addresses.

Fedify, a TypeScript framework for ActivityPub servers, implemented incomplete public URL validation inside the @fedify/fedify and @fedify/vocab-runtime libraries. The validator only blocked basic RFC 1918 networks, standard loopbacks, and link-local addresses, failing to restrict Carrier-Grade NAT (CGNAT), benchmarking, reserved, or IPv6 transition addresses. Consequently, unauthenticated remote attackers can bypass SSRF filters to access sensitive internal microservices and endpoints.

Vulnerability Overview

The vulnerability is an unauthenticated Server-Side Request Forgery (SSRF) in Fedify, an ActivityPub server framework written in TypeScript. Fedify allows developers to build federated server applications that exchange ActivityPub documents and media. Because federated interactions necessitate fetching resources from external servers, the system is exposed to external URLs supplied by users or peer federated servers.

To prevent SSRF, Fedify utilizes a validation mechanism named validatePublicUrl which verifies whether an IP address is a public, routable internet address before attempting a network connection. An analysis of the validation engine revealed that the framework failed to classify multiple special-use, reserved, and non-routable IP address ranges as private. Consequently, remote unauthenticated attackers can craft requests containing restricted IP addresses to bypass the validation boundaries and target internal network services.

The vulnerability is tracked as CVE-2026-50131 and has been assigned a CVSS v3.1 base score of 8.6, representing high severity. The underlying flaw resides within the custom IP validation utility functions distributed in the @fedify/fedify framework and its dependency utility package @fedify/vocab-runtime.

Root Cause Analysis

The root cause of CVE-2026-50131 lies in the flawed design and implementation of the IP address classification logic. Fedify attempted to determine whether an IP address is "public" by excluding a limited blocklist of known private subnets rather than adopting a robust, comprehensive CIDR range checking approach. The original validation logic in isValidPublicIPv4Address only evaluated basic subnets from RFC 1918, local loopback ranges, and standard link-local allocations.

Specifically, the validator parsed the target IP address string using a manual split on the dot separator and extracted the first and second octets as integers. It then checked if the first octet matched 10, 127, or 0. If so, or if the prefix fell inside 172.16.0.0/12 or 192.168.0.0/16, the address was marked invalid. This logic completely ignored Carrier-Grade NAT (CGNAT) address ranges defined by RFC 6598 (100.64.0.0/10), benchmarking ranges from RFC 2544 (198.18.0.0/15), documentation ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24), multicast ranges (224.0.0.0/4), and future-use reserved ranges (240.0.0.0/4).

Furthermore, the validation of IPv6 addresses in isValidPublicIPv6Address was similarly incomplete. It expanded the IPv6 address and filtered out standard Unique Local Addresses (ULA) and link-local ranges but was incapable of parsing and resolving transition and tunneling mechanisms. For example, NAT64 networks use the prefix 64:ff9b::/96 to translate IPv4 packets into IPv6. Because the validator lacked translation mapping checks, an attacker could supply an IPv6-wrapped private IPv4 address (such as 64:ff9b::127.0.0.1), which would successfully bypass the validation routine and subsequently map to local loopback within a dual-stack configuration.

Code Analysis

An examination of the source code before and after the application of the patch highlights the exact architectural shift from naive string parsing to rigorous bitwise CIDR validation. The original vulnerable function in packages/vocab-runtime/src/url.ts is shown below:

// VULNERABLE CODE PATH
export function isValidPublicIPv4Address(address: string): boolean {
  const parts = address.split(".");
  const first = parseInt(parts[0]);
  if (first === 0 || first === 10 || first === 127) return false;
  const second = parseInt(parts[1]);
  if (first === 169 && second === 254) return false;
  if (first === 172 && second >= 16 && second <= 31) return false;
  if (first === 192 && second === 168) return false;
  return true;
}

The vulnerability is fixed in commit c5b46f82668edbc3ee17a466e259627d846da498. The developer rewrote the validation framework to use standard CIDR boundaries. The implementation parses the input address safely, validating that each octet consists strictly of decimal digits via the regex /^\d+$/ to block any radix-obfuscation vectors (such as octal or hex formats). The patched structure establishes an array of restricted ranges defined with accurate CIDR masks:

// PATCHED IMPLEMENTATION (Excerpt from url.ts)
const nonPublicIPv4Prefixes = [
  ipv4Prefix("0.0.0.0/8", "RFC 6890"),
  ipv4Prefix("10.0.0.0/8", "RFC 1918"),
  ipv4Prefix("100.64.0.0/10", "RFC 6598"), // Added CGNAT
  ipv4Prefix("127.0.0.0/8", "RFC 1122"),
  ipv4Prefix("169.254.0.0/16", "RFC 3927"),
  ipv4Prefix("172.16.0.0/12", "RFC 1918"),
  ipv4Prefix("192.0.0.0/24", "RFC 6890"),   // Added Protocol Assignments
  ipv4Prefix("192.0.2.0/24", "RFC 5737"),   // Added Documentation range
  ipv4Prefix("192.88.99.0/24", "RFC 7526"),  // Added 6to4 Anycast
  ipv4Prefix("192.168.0.0/16", "RFC 1918"),
  ipv4Prefix("198.18.0.0/15", "RFC 2544"),  // Added Benchmarking
  ipv4Prefix("198.51.100.0/24", "RFC 5737"), // Added Documentation range
  ipv4Prefix("203.0.113.0/24", "RFC 5737"),  // Added Documentation range
  ipv4Prefix("224.0.0.0/4", "RFC 5771"),     // Added Multicast
  ipv4Prefix("240.0.0.0/4", "RFC 1112"),     // Added Reserved
];

The updated validation engine iterates over the defined CIDR prefixes, performs bitwise operations on the numeric representation of the parsed IP address, and immediately rejects the target if any match occurs. Similarly, for IPv6, the code was updated to map well-known transition ranges back to their embedded IPv4 representations, which are then routed back into the secure IPv4 checker.

Exploitation Methodology

Exploitation of CVE-2026-50131 requires sending a crafted ActivityPub fetch request containing a reference to a target host that resolves to one of the non-blocked, private IP addresses. For example, if an internal API panel or metadata service is hosted on the Carrier-Grade NAT block 100.64.0.10, an attacker cannot query it directly from the internet. However, they can instruct the vulnerable Fedify instance to request a remote resource from that IP address.

To coordinate the attack, the adversary registers a DNS domain (e.g., trigger.internal.attacker-dns.com) and configures the domain's A record to point directly to 100.64.0.10. Next, the attacker submits an ActivityPub action (such as subscribing to an actor profile at https://trigger.internal.attacker-dns.com/actor) via the public endpoint of the vulnerable Fedify server. The server receives the URL, resolves the domain name using DNS, and obtains the IP address 100.64.0.10.

The server then executes validatePublicUrl() on the resolved address. Because the validation blocklist before version 1.9.12/2.0.19 did not contain 100.64.0.0/10, the check succeeds and evaluates the IP as public. The server proceeds to dispatch an HTTP GET request to http://100.64.0.10/actor. The attacker receives the internal server's response content via the application's outbound rendering pipeline, effectively executing an unauthenticated SSRF.

Impact Assessment

The impact of successful exploitation is substantial, particularly within modern containerized and cloud-native environments. Attackers can leverage the SSRF capability to conduct network port scanning against the internal subnet infrastructure, bypassing firewall perimeters and ingress controls. In doing so, they can map out internal services, databases, cache layers (such as Redis or Memcached), and administrative management consoles that are bound strictly to internal network interfaces.

In cloud environments (such as AWS, Azure, or GCP), modern systems heavily rely on local metadata services for credential management. While typical metadata endpoints (like 169.254.169.254) were theoretically blocked by the original validation logic, the presence of transition mechanisms in dual-stack networks or internal NAT proxies could still expose these services. The ability to query internal HTTP interfaces unauthenticated allows for potential local credential extraction, configuration theft, and further lateral movement within the compromised VPC.

The vulnerability is classified under CWE-918 (Server-Side Request Forgery) as the primary weakness, coupled with CWE-1286 and CWE-1389 due to the underlying parsing weaknesses. Given the lack of required privileges and the network vector, the CVSS base score is calculated at 8.6, reflecting the high potential for internal information disclosure and system manipulation.

Remediation and Defensive Measures

The primary remediation path requires immediately updating @fedify/fedify and @fedify/vocab-runtime dependencies to their corresponding patched releases. Multiple release branches have been maintained to facilitate upgrade paths: users on the 1.9.x branch must update to 1.9.12 or higher; users on 1.10.x must update to 1.10.11 or higher; users on 2.0.x must update to 2.0.19 or higher; users on 2.1.x must update to 2.1.15 or higher; and users on 2.2.x must update to 2.2.4 or higher.

In addition to applying software patches, developers must review whether their application is vulnerable to DNS Rebinding. Because the validation of the IP occurs during the hostname resolution phase, it is critical that the actual HTTP socket request binds strictly to the resolved and validated IP, rather than initiating a secondary DNS query during the actual HTTP fetch phase. Implementing a custom agent in the underlying HTTP client library that intercepts DNS resolution and enforces IP-level validation on the target socket connection is the most resilient architectural strategy.

At the network layer, egress filtering should be configured to prevent the application servers from initiating outbound connections to any internal subnet. By employing strict firewall rules or security groups that allow outbound traffic only to established external gateways and blocking all local loopback, CGNAT, and private address blocks, organizations can achieve a robust defense-in-depth posture that mitigates potential validation-bypass vulnerabilities.

Official Patches

FedifyGitHub Security Advisory GHSA-xw9q-2mv6-9fr8

Fix Analysis (1)

Technical Appendix

CVSS Score
8.6/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Probability
0.27%
Top 81% most exploited

Affected Systems

Fedify@fedify/fedify@fedify/vocab-runtime

Affected Versions Detail

Product
Affected Versions
Fixed Version
@fedify/fedify
Fedify
>= 0.11.2, < 1.9.121.9.12
@fedify/fedify
Fedify
>= 1.10.0, < 1.10.111.10.11
@fedify/fedify
Fedify
>= 2.0.0, < 2.0.192.0.19
@fedify/fedify
Fedify
>= 2.1.0, < 2.1.152.1.15
@fedify/fedify
Fedify
>= 2.2.0, < 2.2.42.2.4
@fedify/vocab-runtime
Fedify
< 2.0.192.0.19
@fedify/vocab-runtime
Fedify
>= 2.1.0, < 2.1.152.1.15
@fedify/vocab-runtime
Fedify
>= 2.2.0, < 2.2.42.2.4
AttributeDetail
CWE IDCWE-918
Attack VectorNetwork (AV:N)
CVSS Score8.6
EPSS Score0.00269 (0.269%)
ImpactHigh Confidentiality, Low Integrity, Low Availability
Exploit StatusProof-of-Concept
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1005Data from Local System
Collection
CWE-918
Server-Side Request Forgery (SSRF)

The web server receives a URL or similar vector from an upstream source and retrieves the resource without thoroughly verifying that the resolved destination is a public, routable internet address.

Known Exploits & Detection

GitHubProof-of-Concept documentation and vulnerability index

Vulnerability Timeline

Initial branch version bumps prepared
2026-05-20
Technical fix committed (c5b46f82668edbc3ee17a466e259627d846da498) by Hong Minhee
2026-05-29
Maintenance branch pull requests merged
2026-06-02
Patched libraries published to registries
2026-06-04
Primary Security Advisory GHSA-xw9q-2mv6-9fr8 published
2026-06-08
Vulnerability officially published on CVE.org
2026-06-10

References & Sources

  • [1]GitHub Security Advisory GHSA-xw9q-2mv6-9fr8
  • [2]GitHub Repository - CVE-2026-50131 Analysis and PoC Index

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•11 minutes ago•CVE-2025-61670
3.3

CVE-2025-61670: Memory Leak in Wasmtime C/C++ API WebAssembly GC Reference Handling

A technical analysis of CVE-2025-61670, a memory leak vulnerability in Wasmtime's C and C++ API bindings. The issue stems from a refactoring in version 37.0.0 that transitioned garbage-collected reference tracking to host heap-allocated OwnedRooted types without updating FFI ownership semantics.

Alon Barad
Alon Barad
0 views•7 min read
•40 minutes ago•CVE-2026-50141
7.1

CVE-2026-50141: Agent Impersonation via gRPC Metadata Spoofing in Woodpecker CI

A critical authentication bypass vulnerability in Woodpecker CI allows authenticated agents to impersonate other agents by injecting spoofed agent_id values into gRPC metadata. This flaw is caused by the use of md.Append instead of md.Set on the server-side RPC authorizer.

Alon Barad
Alon Barad
3 views•6 min read
•about 2 hours ago•CVE-2026-54250
5.8

CVE-2026-54250: Path Traversal Vulnerability in K3s etcd Snapshot Decompression

CVE-2026-54250 is a path traversal vulnerability in K3s, a lightweight Kubernetes distribution. The flaw exists within the etcd snapshot decompression functionality, allowing administrative users to write arbitrary files to the host filesystem via a maliciously crafted ZIP archive. Due to the high privilege level of the K3s process, this can result in total host compromise.

Alon Barad
Alon Barad
5 views•6 min read
•about 19 hours ago•GHSA-XF7X-X43H-RPQH
7.5

GHSA-xf7x-x43h-rpqh: Denial of Service via Unconstrained Circular Reference Resolution in json-repair

A Denial of Service vulnerability exists in the json-repair Python library due to an unconstrained loop during JSON Schema reference resolution. By submitting a circular JSON Schema, an attacker can trigger infinite recursion, causing 100 percent CPU exhaustion. Because this package is heavily utilized in LLM data-processing pipelines, this flaw presents a substantial threat to application availability.

Alon Barad
Alon Barad
7 views•5 min read
•about 19 hours ago•GHSA-8F6J-263M-G72X
6.9

GHSA-8F6J-263M-G72X: OCSP Revocation Checking Bypass in Apple App Store Server Python Library

A cryptographic validation flaw in the Apple App Store Server Python Library allows an attacker to bypass Online Certificate Status Protocol (OCSP) revocation checks. When online verification is enabled, the library fails to validate temporal constraints on OCSP response payloads. This flaw enables network-positioned adversaries to perform OCSP replay attacks, forcing the application to accept JSON Web Signatures (JWS) signed by revoked certificates.

Alon Barad
Alon Barad
8 views•5 min read
•1 day ago•GHSA-7XW9-549R-8JRC
8.5

GHSA-7XW9-549R-8JRC: SQL Injection and Improper Access Control in DIRAC PilotManager

The DIRAC PilotManager component contains combined security weaknesses: a SQL injection vulnerability (CWE-89) in the PilotAgentsDB database interaction layer, and an improper access control configuration (CWE-284) within the default authorization structure. A low-privilege authenticated attacker can bypass intended authorization checks to run administrative commands, manipulate grid job tracking records, and execute arbitrary SQL statements against the backend database.

Alon Barad
Alon Barad
8 views•5 min read