N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54590

GHSA ID

GHSA-8xq3-w9fx-74rv

EPSS Score

CWE

CWE-918

Published

7/28/2025

Updated

7/31/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54590

CVE-2025-54590: webfinger.js Blind SSRF Vulnerability

Description

The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test.

In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/...” paths:

if (address.indexOf('://') > -1) {
  // other uri format
  host = address.replace(/ /g,'').split('/')[2];
} else {
  // useraddress
  host = address.replace(/ /g,'').split('@')[1];
}

var uri_index = 0; // track which URIS we've tried already
var protocol = 'https'; // we use https by default

if (self.__isLocalhost(host)) {
  protocol = 'http';
}

function __buildURL() {
  var uri = '';
  if (! address.split('://')[1]) {
  // the URI has not been defined, default to acct
    uri = 'acct:';
  }
  return protocol + '://' + host + '/.well-known/' +URIS[uri_index] + '?resource=' + uri + address;
}

If the address is in the format of a user address (user@host.com), the host will be anything after the first found @ symbol. Since no other test is done, an adversary may pass a specially crafted address such as user@localhost:7000/admin/restricted_page? and reach pages that would normally be out of reach. In this example, the code would treat localhost:7000/admin/restricted_page? as the host, and the created URL would be https://localhost:7000/admin/restricted_page?/.well-known/webfinger?resource=acct:use r@localhost:7000/admin/restricted_page?. A server listening on localhost:7000 will then parse the request as a GET request for the page /admin/restricted_page with the query string /.well-known/webfinger?resource=acct:user@localhost:7000/admin/restricted_page?.

PoC and Steps to reproduce

This PoC assumes that there is a server on the machine listening on port 3000, which receives requests for WebFinger lookups on the address /api/v1/search_user, and then calls the lookup function in webfinger.js with the user passed as an argument. For the sake of the example we assume that the server configured webfinger.js with tls_only=false.

Activate a local HTTP server listening to port 1234 with a “secret.txt” file:

python3 -m http.server 1234

Run the following command:

curl
"http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt
?"

View the console of the Python’s HTTP server and see that a request for a “secret.txt?/.well-known/webfinger?resource=acct:user@localhost:1234/secret.txt ?” file was performed. This proves that we can redirect the URL to any domain and path we choose, including localhost and the internal LAN.

Impact

Due to this issue, any user can cause a server using the library to send GET requests with controlled host, path and port in an attempt to query services running on the instance’s host or local network, and attempt to execute a Blind-SSRF gadget in hope of targeting a known vulnerable local service running on the victim’s machine.

References

The vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54590

GHSA ID

GHSA-8xq3-w9fx-74rv

EPSS Score

CWE

CWE-918

Published

7/28/2025

Updated

7/31/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
webfinger.js	npm	<= 2.8.0	2.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic Server-Side Request Forgery (SSRF) in the webfinger.js library. The root cause lies in insufficient validation of user-provided addresses within the lookup function. The function would extract the host from an address string (e.g., user@host) by simply taking the substring after the '@' symbol. This allowed an attacker to include a path and query parameters in the host portion (e.g., user@internal-server/admin/delete?user=victim), causing the library to make a request to an arbitrary internal endpoint.

The patch addresses this in multiple layers:

Host Sanitization: A new validateHost function is introduced to strip any path components (/, ?, #) from the extracted host, ensuring only a valid hostname or IP address is used.
Private Address Blocking: A new isPrivateAddress function checks the sanitized host against a comprehensive blocklist of private, local, and reserved IP ranges (both IPv4 and IPv6). This is the primary defense against SSRF.
DNS-based SSRF Protection: For Node.js environments, a validateDNSResolution function was added. It resolves hostnames to their IP addresses and checks if any of them are in the private address blocklist. This prevents attacks where a public domain resolves to a private IP (e.g., localtest.me resolving to 127.0.0.1).
Redirect Validation: The fetchJRD function was modified to handle redirects manually. It now validates the Location header of any redirect response to ensure it does not point to a private address, closing another potential SSRF vector.

The primary vulnerable function is WebFinger.lookup, as it's the entry point that consumes the malicious input. The WebFinger.fetchJRD function was also vulnerable due to its handling of redirects. The new functions (validateHost, isPrivateAddress, validateDNSResolution) represent the security controls that were missing.

Vulnerable functions

WebFinger.lookup

src/webfinger.ts

The `lookup` function is the primary entry point for the vulnerability. It takes a user-provided address and, prior to the patch, would extract the host without proper validation. An attacker could provide a crafted address like 'user@localhost:1234/secret.txt?', causing the application to treat 'localhost:1234/secret.txt?' as the host. This host was then used to construct a request URL, leading to a Server-Side Request Forgery (SSRF) vulnerability. The patch adds calls to `validateHost`, `isPrivateAddress`, and `validateDNSResolution` to sanitize and validate the host before making any requests.

WebFinger.fetchJRD

src/webfinger.ts

The `fetchJRD` function was implicitly vulnerable as it did not validate the destination of HTTP redirects. An attacker could set up a malicious server that, when contacted, would redirect the `webfinger.js` client to an internal or private address. The original implementation would follow these redirects transparently. The patch mitigates this by setting `redirect: 'manual'` and adding logic to manually inspect the `Location` header, validate the redirect host using `validateHost` and `isPrivateAddress`, and only then follow the redirect.

WAF Protection Rules

WAF Rule

### **s*ription T** lookup *un*tion t*k*s * us*r ***r*ss *or ****kin* ***ounts *s * ***tur*, *ow*v*r, *s p*r t** **tivityPu* sp** (*ttps://www.w*.or*/TR/**tivitypu*/#s**urity-*onsi**r*tions), on t** s**urity *onsi**r*tions s**tion *t *.*, ****ss to L

Reasoning

T** vuln*r**ility is * *l*ssi* S*rv*r-Si** R*qu*st *or**ry (SSR*) in t** `w***in**r.js` li*r*ry. T** root **us* li*s in insu**i*i*nt v*li**tion o* us*r-provi*** ***r*ss*s wit*in t** `lookup` *un*tion. T** *un*tion woul* *xtr**t t** *ost *rom *n ***r*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-54590: webfinger.js Blind SSRF Vulnerability

Description

PoC and Steps to reproduce

Impact

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI