Fedify security updates: 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1

[dahlia]

If you use Fedify, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass validatePublicUrl() even though they refer to private or loopback addresses.

Fedify uses validatePublicUrl() when fetching remote ActivityPub documents and related resources. An attacker who can make a Fedify server fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF risk.

All versions up to and including 2.2.0 are affected. Patched releases are 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1.

For Fedify 1.x, update @fedify/fedify:

npm  update  @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update  @fedify/fedify
bun  update  @fedify/fedify
deno update  @fedify/fedify

For Fedify 2.x, update both @fedify/fedify and @fedify/vocab-runtime:

npm  update  @fedify/fedify @fedify/vocab-runtime
yarn upgrade @fedify/fedify @fedify/vocab-runtime
pnpm update  @fedify/fedify @fedify/vocab-runtime
bun  update  @fedify/fedify @fedify/vocab-runtime
deno update  @fedify/fedify @fedify/vocab-runtime

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @comfuture for the report and responsible disclosure.

If anything is unclear, ask below.