CVE-2025-54590: webfinger.js Blind SSRF Vulnerability
(updated )
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test.
In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/…” paths:
if (address.indexOf('://') > -1) {
// other uri format
host = address.replace(/ /g,'').split('/')[2];
} else {
// useraddress
host = address.replace(/ /g,'').split('@')[1];
}
var uri_index = 0; // track which URIS we've tried already
var protocol = 'https'; // we use https by default
if (self.__isLocalhost(host)) {
protocol = 'http';
}
function __buildURL() {
var uri = '';
if (! address.split('://')[1]) {
// the URI has not been defined, default to acct
uri = 'acct:';
}
return protocol + '://' + host + '/.well-known/' +URIS[uri_index] + '?resource=' + uri + address;
}
If the address is in the format of a user address (user@host.com), the host will be anything after the first found @ symbol. Since no other test is done, an adversary may pass a specially crafted address such as user@localhost:7000/admin/restricted_page? and reach pages that would normally be out of reach. In this example, the code would treat localhost:7000/admin/restricted_page? as the host, and the created URL would be https://localhost:7000/admin/restricted_page?/.well-known/webfinger?resource=acct:use r@localhost:7000/admin/restricted_page?. A server listening on localhost:7000 will then parse the request as a GET request for the page /admin/restricted_page with the query string /.well-known/webfinger?resource=acct:user@localhost:7000/admin/restricted_page?.
References
- github.com/advisories/GHSA-8xq3-w9fx-74rv
- github.com/silverbucket/webfinger.js
- github.com/silverbucket/webfinger.js/commit/b5f2f2c957297d25f4d76072963fccaee2e3095a
- github.com/silverbucket/webfinger.js/releases/tag/v2.8.1
- github.com/silverbucket/webfinger.js/security/advisories/GHSA-8xq3-w9fx-74rv
- nvd.nist.gov/vuln/detail/CVE-2025-54590
Code Behaviors & Features
Detect and mitigate CVE-2025-54590 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →