Skip to main content

CVE-2025-54590: CWE-918: Server-Side Request Forgery (SSRF) in silverbucket webfinger.js

Medium
VulnerabilityCVE-2025-54590cvecve-2025-54590cwe-918
Published: Fri Aug 01 2025 (08/01/2025, 18:03:41 UTC)
Source: CVE Database V5
Vendor/Project: silverbucket
Product: webfinger.js

Description

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with "localhost" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1.

AI-Powered Analysis

AILast updated: 08/01/2025, 18:33:31 UTC

Technical Analysis

CVE-2025-54590 is a Server-Side Request Forgery (SSRF) vulnerability identified in the silverbucket webfinger.js library, versions 2.8.0 and below. webfinger.js is a TypeScript-based WebFinger client used in both browser and Node.js environments to perform account lookups following the ActivityPub protocol. The vulnerability arises because the library's lookup function does not adequately restrict requests to localhost or local network services, violating the ActivityPub specification requirement to block such access in production environments. Specifically, the library only blocks hosts that start with "localhost" and end with a port number, but this check is insufficient. Attackers can exploit this by crafting servers that send GET requests with controlled host, path, and port parameters, enabling blind SSRF attacks. This allows an attacker to make the vulnerable server perform HTTP requests to internal services on the host or local network, potentially accessing sensitive internal resources or triggering unintended actions. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality. No known exploits are reported in the wild, and the issue was fixed in version 2.8.1 of webfinger.js. The vulnerability is classified under CWE-918, which covers SSRF weaknesses where an attacker can induce the server to make HTTP requests to arbitrary domains, including internal ones.

Potential Impact

For European organizations using webfinger.js versions prior to 2.8.1, this SSRF vulnerability poses a risk of unauthorized internal network reconnaissance and potential access to sensitive internal services. Since webfinger.js is used in ActivityPub implementations, which are increasingly adopted in decentralized social networking and federated identity systems, exploitation could lead to leakage of internal metadata, unauthorized access to internal APIs, or pivoting to further internal attacks. The impact on confidentiality is moderate, as attackers can potentially access internal endpoints not exposed externally. Integrity and availability impacts are limited but could escalate if internal services are manipulated via SSRF. Given the lack of authentication or user interaction requirements, exploitation is relatively straightforward if the vulnerable library is exposed to attacker-controlled inputs. For European organizations, especially those involved in federated social platforms, identity management, or using Node.js-based services incorporating webfinger.js, this vulnerability could undermine trust and data privacy obligations under GDPR if internal data is exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

Mitigation Recommendations

European organizations should immediately upgrade all instances of webfinger.js to version 2.8.1 or later, where the SSRF vulnerability is fixed by proper localhost and internal network access restrictions. Additionally, organizations should implement network-level controls such as firewall rules to restrict outbound HTTP requests from application servers to only necessary external endpoints, blocking internal IP ranges where possible. Application-level input validation should be enhanced to sanitize and whitelist acceptable hostnames and ports for WebFinger lookups, preventing attacker-controlled parameters from triggering SSRF. Monitoring and logging of outbound HTTP requests from services using webfinger.js should be enabled to detect anomalous or unexpected internal requests. For critical environments, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities. Finally, conduct security reviews of all federated identity and ActivityPub-related components to ensure compliance with best practices and specifications, including strict localhost and internal network access prevention.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-25T16:19:16.094Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 688d04c8ad5a09ad00cb187e

Added to database: 8/1/2025, 6:17:44 PM

Last enriched: 8/1/2025, 6:33:31 PM

Last updated: 8/2/2025, 11:15:04 AM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats