CVE-2025-54888: @fedify/fedify has Improper Authentication and Incorrect Authorization

August 8, 2025 (updated August 11, 2025)

An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances

References

github.com/advisories/GHSA-6jcc-xgcr-q3h4
github.com/fedify-dev/fedify
github.com/fedify-dev/fedify/commit/226d9b84dbec52172a70138bba8861454afde42b
github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
nvd.nist.gov/vuln/detail/CVE-2025-54888

Code Behaviors & Features

Detect and mitigate CVE-2025-54888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →