CVE-2025-54590 is a Server-Side Request Forgery (SSRF) vulnerability identified in the silverbucket webfinger.js library, versions 2.8.0 and below. webfinger.js is a TypeScript-based WebFinger client used in both browser and Node.js environments to perform account lookups following the ActivityPub protocol. The vulnerability arises because the library's lookup function does not adequately restrict requests to localhost or local network services, violating the ActivityPub specification requirement to block such access in production environments. Specifically, the library only blocks hosts that start with "localhost" and end with a port number, but this check is insufficient. Attackers can exploit this by crafting servers that send GET requests with controlled host, path, and port parameters, enabling blind SSRF attacks. This allows an attacker to make the vulnerable server perform HTTP requests to internal services on the host or local network, potentially accessing sensitive internal resources or triggering unintended actions. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality. No known exploits are reported in the wild, and the issue was fixed in version 2.8.1 of webfinger.js. The vulnerability is classified under CWE-918, which covers SSRF weaknesses where an attacker can induce the server to make HTTP requests to arbitrary domains, including internal ones.

For European organizations using webfinger.js versions prior to 2.8.1, this SSRF vulnerability poses a risk of unauthorized internal network reconnaissance and potential access to sensitive internal services. Since webfinger.js is used in ActivityPub implementations, which are increasingly adopted in decentralized social networking and federated identity systems, exploitation could lead to leakage of internal metadata, unauthorized access to internal APIs, or pivoting to further internal attacks. The impact on confidentiality is moderate, as attackers can potentially access internal endpoints not exposed externally. Integrity and availability impacts are limited but could escalate if internal services are manipulated via SSRF. Given the lack of authentication or user interaction requirements, exploitation is relatively straightforward if the vulnerable library is exposed to attacker-controlled inputs. For European organizations, especially those involved in federated social platforms, identity management, or using Node.js-based services incorporating webfinger.js, this vulnerability could undermine trust and data privacy obligations under GDPR if internal data is exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should immediately upgrade all instances of webfinger.js to version 2.8.1 or later, where the SSRF vulnerability is fixed by proper localhost and internal network access restrictions. Additionally, organizations should implement network-level controls such as firewall rules to restrict outbound HTTP requests from application servers to only necessary external endpoints, blocking internal IP ranges where possible. Application-level input validation should be enhanced to sanitize and whitelist acceptable hostnames and ports for WebFinger lookups, preventing attacker-controlled parameters from triggering SSRF. Monitoring and logging of outbound HTTP requests from services using webfinger.js should be enabled to detect anomalous or unexpected internal requests. For critical environments, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities. Finally, conduct security reviews of all federated identity and ActivityPub-related components to ensure compliance with best practices and specifications, including strict localhost and internal network access prevention.