Fedify security updates: 1.0.14, 1.1.11, 1.2.11, and 1.3.4

[dahlia]

We have released security updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a vulnerability in Fedify's WebFinger implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

• Perform denial of service attacks through infinite redirect loops
• Execute server-side request forgery (SSRF) attacks via redirects to private network addresses
• Access unintended URL schemes through redirect manipulation

Fixed Versions

• 1.3.x series: Update to 1.3.4
• 1.2.x series: Update to 1.2.11
• 1.1.x series: Update to 1.1.11
• 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

1. Added a maximum redirect limit (5) to prevent infinite redirect loops
2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

---

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.