Fedify 1.3.4

Released on January 21, 2025.

• Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Fedify 1.2.11

Released on January 21, 2025.

• Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Fedify 1.1.11

Released on January 21, 2025.

• Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Fedify 1.0.14

Released on January 21, 2025.

• Fixed several security vulnerabilities of the lookupWebFinger() function. [CVE-2025-23221]

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the infinite number of redirects, which could lead to a denial of service attack. Now it follows up to 5 redirects.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to other than the HTTP/HTTPS schemes, which could lead to a security breach. Now it follows only the same scheme as the original request.

  • Fixed a security vulnerability where the lookupWebFinger() function had followed the redirects to the private network addresses, which could lead to a SSRF attack. Now it follows only the public network addresses.

Fedify 1.3.3

Released on December 30, 2024.

• The fetchDocumentLoader() function now preloads the following JSON-LD context: https://gotosocial.org/ns.

Fedify 1.3.2

Released on December 18, 2024.

• Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Fedify 1.2.10

Released on December 18, 2024.

• Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Fedify 1.1.10

Released on December 18, 2024.

• Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Fedify 1.0.13

Released on December 18, 2024.

• Fixed the default document loader to handle the Link header with incorrect syntax. [#196]

Fedify 1.3.1

Released on December 11, 2024.

• Fixed idempotence check in inbox listeners to ensure activities for different origins are processed correctly.