CVE-2025-23221: Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack.
References
- github.com/advisories/GHSA-c59p-wq67-24wx
- github.com/dahlia/fedify
- github.com/dahlia/fedify/commit/8be3c2038eebf4ae12481683a1e809b314be3151
- github.com/dahlia/fedify/commit/c505eb82fcd6b5b17174c6659c29721bc801ab9a
- github.com/dahlia/fedify/commit/e921134dd5097586e4563ea80b9e8d1b5460a645
- github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
- nvd.nist.gov/vuln/detail/CVE-2025-23221
Code Behaviors & Features
Detect and mitigate CVE-2025-23221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →