SCA: security update for @fedify/fedify, @fedify/vocab-runtime (GHSA-xw9q-2mv6-9fr8)

high Tenable Self-Hosted Container Security Plugin ID 444701

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify
previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation
before runtime document and media fetching. However, the IPv4 validation logic present starting in version
0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The
`validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4
destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`,
`169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use,
reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because
this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete
mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and
2.2.4 contain an updated patch. (CVE-2026-50131)

Solution

Update the @fedify/fedify library and its related packages to version 1.10.11 or later.

See Also

https://github.com/advisories/GHSA-xw9q-2mv6-9fr8

Plugin Details

Severity: High

ID: 444701

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/14/2026

Updated: 7/14/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.82

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: CVE-2026-50131

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/14/2026

Vulnerability Publication Date: 6/10/2026

Reference Information

CVE: CVE-2026-50131