Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. @fedify/fedify
  4. ›
  5. CVE-2026-50131

CVE-2026-50131: Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

July 14, 2026

Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the current IPv4 validation logic appears incomplete.

The validatePublicUrl() protection relies on isValidPublicIPv4Address() to reject non-public IPv4 destinations. The function blocks common private and local ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, and 192.168.0.0/16, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations.

Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue.

I tested this against the current repository code at unreleased version 2.3.0. I used >=0.11.2, <=2.2.3 as the suspected affected range because 0.11.2 is listed as a patched version for GHSA-p9cg-vqcc-grcx, and this report concerns the post-fix validation logic. Maintainers may adjust the exact affected range.

References

  • github.com/advisories/GHSA-xw9q-2mv6-9fr8
  • github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8
  • nvd.nist.gov/vuln/detail/CVE-2026-50131

Code Behaviors & Features

Detect and mitigate CVE-2026-50131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 0.11.2 before 1.9.12, all versions starting from 1.10.0 before 1.10.11, all versions starting from 2.0.0 before 2.0.19, all versions starting from 2.1.0 before 2.1.15, all versions starting from 2.2.0 before 2.2.4

Fixed versions

  • 1.9.12
  • 1.10.11
  • 2.0.19
  • 2.1.15
  • 2.2.4

Solution

Upgrade to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, 2.2.4 or above.

Impact 8.6 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Learn more about CVSS

Weakness

  • CWE-1286: Improper Validation of Syntactic Correctness of Input
  • CWE-1389: Incorrect Parsing of Numbers with Different Radices
  • CWE-918: Server-Side Request Forgery (SSRF)

Source file

npm/@fedify/fedify/CVE-2026-50131.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 16 Jul 2026 00:18:44 +0000.