216.73.216.36

CVE-2025-54888

· Published 09/08/2025 02:15 · Modified 09/08/2025 02:15

Labels: CVE-2025-54888 2025-08-09CVE-2025-54888CWE-287[email protected]

Essential information

Published
09/08/2025 02:15
Modified
09/08/2025 02:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
fedify / fedify cpe:2.3:a:fedify:fedify:<1.3.20:*:*:*:*:*:*:*
fedify / fedify cpe:2.3:a:fedify:fedify:1.4.0-dev.585-1.4.12:*:*:*:*:*:*:*
fedify / fedify cpe:2.3:a:fedify:fedify:1.5.0-dev.636-1.5.4:*:*:*:*:*:*:*
fedify / fedify cpe:2.3:a:fedify:fedify:1.6.0-dev.754-1.6.7:*:*:*:*:*:*:*
fedify / fedify cpe:2.3:a:fedify:fedify:1.7.0-pr.251.885-1.7.8:*:*:*:*:*:*:*
fedify / fedify cpe:2.3:a:fedify:fedify:1.8.0-dev.909-1.8.4:*:*:*:*:*:*:*

References