Summary At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. You can learn more about SSRF attacks via CWE-918 Details When Fedify makes a request at runtime via the DocLoader [1] [2], the fetch API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public. Additionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a hostname part. Whilst the fetch() specification may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using data: URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav. [1]…Read More