GHSA-6JCC-XGCR-Q3H4

Vulnerability from github – Published: 2025-08-08 14:29 – Updated: 2025-08-11 13:56
VLAI?
Summary
@fedify/fedify has Improper Authentication and Incorrect Authorization
Details

Summary

An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances

Details

The vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:

  1. Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)
  2. Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing
  // fedify/federation/handler.ts:1712-1750
  const routeResult = await routeActivity({  // ← Activity processed here
    context: ctx,
    json,
    activity,
    recipient,
    inboxListeners,
    inboxContextFactory,
    inboxErrorHandler,
    kv,
    kvPrefixes,
    queue,
    span,
    tracerProvider,
  });

  if (
    httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)  // ← Auth check too late
  ) {
    // Returns 401, but activity already processed
    return new Response("The signer and the actor do not match.", {
      status: 401,
      headers: { "Content-Type": "text/plain; charset=utf-8" },
    });
  }

By the time the 401 response is returned, the malicious activity has already been processed or queued.

PoC

  1. Create an activity claiming to be from any actor:
  const maliciousActivity = {
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Create",
    "actor": "https://victim.example.com/users/alice",  // Impersonating victim
    "object": {
      "type": "Note",
      "content": "This is a forged message!"
    }
  }
  1. Sign the HTTP request with attacker's key (not the victim's):
  // Sign with attacker's key: https://attacker.com/users/eve#main-key
  const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);
  1. Send to any Fedify inbox - the activity will be processed despite the key mismatch.

Impact

Type: Authentication Bypass / Actor Impersonation

Who is impacted: All Fedify instances and their users

Consequences: Allows complete impersonation of any ActivityPub actor, enabling: - Sending fake posts/messages as any user - Creating/removing follows as any user - Boosting/sharing content as any user - Complete compromise of federation trust model

The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations (Mastodon, etc.) which properly validate before processing.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0-dev.585"
            },
            {
              "fixed": "1.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0-dev.636"
            },
            {
              "fixed": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0-dev.754"
            },
            {
              "fixed": "1.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0-pr.251.885"
            },
            {
              "fixed": "1.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0-dev.909"
            },
            {
              "fixed": "1.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T14:29:48Z",
    "nvd_published_at": "2025-08-09T02:15:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances\n\n### Details\nThe vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:\n\n  1. Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)\n  2. Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing\n\n```ts\n  // fedify/federation/handler.ts:1712-1750\n  const routeResult = await routeActivity({  // \u2190 Activity processed here\n    context: ctx,\n    json,\n    activity,\n    recipient,\n    inboxListeners,\n    inboxContextFactory,\n    inboxErrorHandler,\n    kv,\n    kvPrefixes,\n    queue,\n    span,\n    tracerProvider,\n  });\n\n  if (\n    httpSigKey != null \u0026\u0026 !await doesActorOwnKey(activity, httpSigKey, ctx)  // \u2190 Auth check too late\n  ) {\n    // Returns 401, but activity already processed\n    return new Response(\"The signer and the actor do not match.\", {\n      status: 401,\n      headers: { \"Content-Type\": \"text/plain; charset=utf-8\" },\n    });\n  }\n```\n\nBy the time the 401 response is returned, the malicious activity has already been processed or queued.\n\n### PoC\n\n  1. Create an activity claiming to be from any actor:\n```ts\n  const maliciousActivity = {\n    \"@context\": \"https://www.w3.org/ns/activitystreams\",\n    \"type\": \"Create\",\n    \"actor\": \"https://victim.example.com/users/alice\",  // Impersonating victim\n    \"object\": {\n      \"type\": \"Note\",\n      \"content\": \"This is a forged message!\"\n    }\n  }\n```\n  2. Sign the HTTP request with attacker\u0027s key (not the victim\u0027s):\n```ts\n  // Sign with attacker\u0027s key: https://attacker.com/users/eve#main-key\n  const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);\n```\n  3. Send to any Fedify inbox - the activity will be processed despite the key mismatch.\n\n### Impact\n\nType: Authentication Bypass / Actor Impersonation\n\nWho is impacted: All Fedify instances and their users\n\nConsequences: Allows complete impersonation of any ActivityPub actor, enabling:\n  - Sending fake posts/messages as any user\n  - Creating/removing follows as any user\n  - Boosting/sharing content as any user\n  - Complete compromise of federation trust model\n\nThe vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations (Mastodon, etc.) which properly validate before processing.",
  "id": "GHSA-6jcc-xgcr-q3h4",
  "modified": "2025-08-11T13:56:21Z",
  "published": "2025-08-08T14:29:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/commit/226d9b84dbec52172a70138bba8861454afde42b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fedify-dev/fedify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@fedify/fedify has Improper Authentication and Incorrect Authorization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.