Fedify previously implemented SSRF protections by validating public URLs before fetching documents and media. However, the IPv4 validation logic in versions >=0.11.2 and <1.9.12, <1.10.11, <2.0.19, <2.1.15, and <2.2.4 is incomplete. The isValidPublicIPv4Address() function blocks common private and local IP ranges but does not block several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges. Since validatePublicUrl() depends on this function, SSRF protections can be bypassed, allowing an attacker to make server-side requests to unintended internal or reserved IP addresses. The issue is addressed in versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 with updated patches.

Successful exploitation allows an attacker to perform server-side request forgery (SSRF), potentially accessing internal network resources or services that should be inaccessible. This can lead to information disclosure (high confidentiality impact), limited integrity impact, and limited availability impact. The CVSS score of 8.6 reflects high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Updated patched versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain fixes for the incomplete IPv4 validation logic and should be applied to remediate this vulnerability. Since no official vendor advisory or patch links are provided, users should verify and upgrade to these fixed versions. Patch status is not yet confirmed by vendor advisory; check the vendor's official resources for the latest remediation guidance.