cvelistv5 - CVE-2025-54590

CVE-2025-54590 (GCVE-0-2025-54590)

Vulnerability from cvelistv5 – Published: 2025-08-01 18:03 – Updated: 2025-08-01 18:39

Title

webfinger.js is vulnerable to Blind SSRF attacks through localhost

Summary

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with "localhost" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/silverbucket/webfinger.js/secu…	x_refsource_CONFIRM
	https://github.com/silverbucket/webfinger.js/comm…	x_refsource_MISC
	https://github.com/silverbucket/webfinger.js/rele…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	silverbucket	webfinger.js	Affected: < 2.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54590",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-01T18:39:19.551343Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-01T18:39:35.748Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "webfinger.js",
          "vendor": "silverbucket",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \"localhost\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance\u0027s host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-01T18:03:41.619Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv"
        },
        {
          "name": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a"
        },
        {
          "name": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1"
        }
      ],
      "source": {
        "advisory": "GHSA-8xq3-w9fx-74rv",
        "discovery": "UNKNOWN"
      },
      "title": "webfinger.js is vulnerable to Blind SSRF attacks through localhost"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54590",
    "datePublished": "2025-08-01T18:03:41.619Z",
    "dateReserved": "2025-07-25T16:19:16.094Z",
    "dateUpdated": "2025-08-01T18:39:35.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54590\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-01T18:15:55.577\",\"lastModified\":\"2025-08-04T15:06:15.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \\\"localhost\\\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance\u0027s host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1.\"},{\"lang\":\"es\",\"value\":\"webfinger.js es un cliente WebFinger basado en TypeScript que funciona tanto en navegadores como en entornos Node.js. En las versiones 2.8.0 y anteriores, la funci\u00f3n de b\u00fasqueda acepta direcciones de usuario para la comprobaci\u00f3n de cuentas. Sin embargo, la especificaci\u00f3n ActivityPub exige impedir el acceso a los servicios del host local en producci\u00f3n. Esta librer\u00eda no impide el acceso al host local, sino que solo comprueba los hosts que empiezan por \\\"localhost\\\" y terminan con un puerto. Los usuarios pueden aprovechar esto creando servidores que env\u00eden solicitudes GET con par\u00e1metros de host, ruta y puerto controlados para consultar servicios en el host o la red local de la instancia, lo que permite ataques SSRF ciegos. Esto se ha corregido en la versi\u00f3n 2.8.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54590\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-01T18:39:19.551343Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-01T18:39:23.350Z\"}}], \"cna\": {\"title\": \"webfinger.js is vulnerable to Blind SSRF attacks through localhost\", \"source\": {\"advisory\": \"GHSA-8xq3-w9fx-74rv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"silverbucket\", \"product\": \"webfinger.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.8.1\"}]}], \"references\": [{\"url\": \"https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv\", \"name\": \"https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a\", \"name\": \"https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1\", \"name\": \"https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \\\"localhost\\\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance\u0027s host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-01T18:03:41.619Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54590\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-01T18:39:35.748Z\", \"dateReserved\": \"2025-07-25T16:19:16.094Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-01T18:03:41.619Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-8XQ3-W9FX-74RV

Vulnerability from github – Published: 2025-07-28 16:41 – Updated: 2025-08-01 18:36

Summary

webfinger.js Blind SSRF Vulnerability

Details

Description

The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test.

In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/...” paths:

if (address.indexOf('://') > -1) {
  // other uri format
  host = address.replace(/ /g,'').split('/')[2];
} else {
  // useraddress
  host = address.replace(/ /g,'').split('@')[1];
}

var uri_index = 0; // track which URIS we've tried already
var protocol = 'https'; // we use https by default

if (self.__isLocalhost(host)) {
  protocol = 'http';
}

function __buildURL() {
  var uri = '';
  if (! address.split('://')[1]) {
  // the URI has not been defined, default to acct
    uri = 'acct:';
  }
  return protocol + '://' + host + '/.well-known/' +URIS[uri_index] + '?resource=' + uri + address;
}

If the address is in the format of a user address (user@host.com), the host will be anything after the first found @ symbol. Since no other test is done, an adversary may pass a specially crafted address such as user@localhost:7000/admin/restricted_page? and reach pages that would normally be out of reach. In this example, the code would treat localhost:7000/admin/restricted_page? as the host, and the created URL would be https://localhost:7000/admin/restricted_page?/.well-known/webfinger?resource=acct:use r@localhost:7000/admin/restricted_page?. A server listening on localhost:7000 will then parse the request as a GET request for the page /admin/restricted_page with the query string /.well-known/webfinger?resource=acct:user@localhost:7000/admin/restricted_page?.

PoC and Steps to reproduce

This PoC assumes that there is a server on the machine listening on port 3000, which receives requests for WebFinger lookups on the address /api/v1/search_user, and then calls the lookup function in webfinger.js with the user passed as an argument. For the sake of the example we assume that the server configured webfinger.js with tls_only=false.

Activate a local HTTP server listening to port 1234 with a “secret.txt” file:

python3 -m http.server 1234

Run the following command:

curl
"http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt
?"

View the console of the Python’s HTTP server and see that a request for a “secret.txt?/.well-known/webfinger?resource=acct:user@localhost:1234/secret.txt ?” file was performed. This proves that we can redirect the URL to any domain and path we choose, including localhost and the internal LAN.

Impact

Due to this issue, any user can cause a server using the library to send GET requests with controlled host, path and port in an attempt to query services running on the instance’s host or local network, and attempt to execute a Blind-SSRF gadget in hope of targeting a known vulnerable local service running on the victim’s machine.

References

The vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team.

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "webfinger.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-28T16:41:06Z",
    "nvd_published_at": "2025-08-01T18:15:55Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nThe lookup function takes a user address for checking accounts as a feature, however, as per\nthe ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the\nsecurity considerations section at B.3, access to Localhost services should be prevented while\nrunning in production. The library does not prevent Localhost access (neither does it prevent\nLAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub\napplications. The only check for localhost is done for selecting between HTTP and HTTPS\nprotocols, and it is done by testing for a host that starts with the string \u201clocalhost\u201d and ends with\na port. Anything else (such as \u201c127.0.0.1\u201d or \u201clocalhost:1234/abc\u201d) would not be considered\nlocalhost for this test.\n\nIn addition, the way that the function determines the host, makes it possible to access any path\nin the host, not only \u201c/.well-known/...\u201d paths:\n\n```javascript\nif (address.indexOf(\u0027://\u0027) \u003e -1) {\n  // other uri format\n  host = address.replace(/ /g,\u0027\u0027).split(\u0027/\u0027)[2];\n} else {\n  // useraddress\n  host = address.replace(/ /g,\u0027\u0027).split(\u0027@\u0027)[1];\n}\n\nvar uri_index = 0; // track which URIS we\u0027ve tried already\nvar protocol = \u0027https\u0027; // we use https by default\n\nif (self.__isLocalhost(host)) {\n  protocol = \u0027http\u0027;\n}\n\nfunction __buildURL() {\n  var uri = \u0027\u0027;\n  if (! address.split(\u0027://\u0027)[1]) {\n  // the URI has not been defined, default to acct\n    uri = \u0027acct:\u0027;\n  }\n  return protocol + \u0027://\u0027 + host + \u0027/.well-known/\u0027 +URIS[uri_index] + \u0027?resource=\u0027 + uri + address;\n}\n```\n\nIf the address is in the format of a user address (user@host.com), the host will be anything\nafter the first found @ symbol. Since no other test is done, an adversary may pass a specially\ncrafted address such as user@localhost:7000/admin/restricted_page? and reach pages that\nwould normally be out of reach. In this example, the code would treat\nlocalhost:7000/admin/restricted_page? as the host, and the created URL would be\nhttps://localhost:7000/admin/restricted_page?/.well-known/webfinger?resource=acct:use\nr@localhost:7000/admin/restricted_page?. A server listening on localhost:7000 will then\nparse the request as a GET request for the page /admin/restricted_page with the query string\n/.well-known/webfinger?resource=acct:user@localhost:7000/admin/restricted_page?.\n\n### PoC and Steps to reproduce\nThis PoC assumes that there is a server on the machine listening on port 3000, which receives\nrequests for WebFinger lookups on the address /api/v1/search_user, and then calls the lookup\nfunction in webfinger.js with the user passed as an argument. For the sake of the example we\nassume that the server configured webfinger.js with tls_only=false.\n\n\n1. Activate a local HTTP server listening to port 1234 with a \u201csecret.txt\u201d file:\n\n```\npython3 -m http.server 1234\n```\n\n2. Run the following command:\n\n```\ncurl\n\"http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt\n?\"\n```\n\n3. View the console of the Python\u2019s HTTP server and see that a request for a\n\u201csecret.txt?/.well-known/webfinger?resource=acct:user@localhost:1234/secret.txt\n?\u201d file was performed.\nThis proves that we can redirect the URL to any domain and path we choose, including\nlocalhost and the internal LAN.\n\n\n### Impact\nDue to this issue, any user can cause a server using the library to send GET requests with\ncontrolled host, path and port in an attempt to query services running on the instance\u2019s host or\nlocal network, and attempt to execute a Blind-SSRF gadget in hope of targeting a known\nvulnerable local service running on the victim\u2019s machine.\n\n\n### References\nThe vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team.",
  "id": "GHSA-8xq3-w9fx-74rv",
  "modified": "2025-08-01T18:36:22Z",
  "published": "2025-07-28T16:41:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silverbucket/webfinger.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "webfinger.js Blind SSRF Vulnerability"
}

FKIE_CVE-2025-54590

Vulnerability from fkie_nvd - Published: 2025-08-01 18:15 - Updated: 2025-08-04 15:06

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a
	security-advisories@github.com	https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1
	security-advisories@github.com	https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with \"localhost\" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance\u0027s host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1."
    },
    {
      "lang": "es",
      "value": "webfinger.js es un cliente WebFinger basado en TypeScript que funciona tanto en navegadores como en entornos Node.js. En las versiones 2.8.0 y anteriores, la funci\u00f3n de b\u00fasqueda acepta direcciones de usuario para la comprobaci\u00f3n de cuentas. Sin embargo, la especificaci\u00f3n ActivityPub exige impedir el acceso a los servicios del host local en producci\u00f3n. Esta librer\u00eda no impide el acceso al host local, sino que solo comprueba los hosts que empiezan por \"localhost\" y terminan con un puerto. Los usuarios pueden aprovechar esto creando servidores que env\u00eden solicitudes GET con par\u00e1metros de host, ruta y puerto controlados para consultar servicios en el host o la red local de la instancia, lo que permite ataques SSRF ciegos. Esto se ha corregido en la versi\u00f3n 2.8.1."
    }
  ],
  "id": "CVE-2025-54590",
  "lastModified": "2025-08-04T15:06:15.833",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-01T18:15:55.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/silverbucket/webfinger.js/releases/tag/v2.8.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54590 (GCVE-0-2025-54590)

GHSA-8XQ3-W9FX-74RV

Description

PoC and Steps to reproduce

Impact

References

FKIE_CVE-2025-54590

Tags

Sightings

Nomenclature