CVE-2025-25194

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-25194

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25194.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25194

Aliases

GHSA-7723-35v7-qcxw

Published

2025-02-10T22:14:32.302Z

Modified

2026-04-10T05:23:12.281364Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Server-Side Request Forgery (SSRF) in activitypub_federation

Details

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypubfederation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25194.json",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/lemmynet/lemmy

Affected ranges

Type

GIT

Repo

https://github.com/lemmynet/lemmy

Events

Introduced

Last affected

7d5669e8d3cbb2764f323d59067c15a3ad9f4176

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.19.8"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.0-rc.12

0.10.0-rc.13

0.10.0-rc.7

0.10.1

0.10.2

0.11.0

0.11.0-rc.1

0.11.1

0.11.2

0.11.3-rc.4

0.11.4-rc.16

0.12.0

0.12.0-rc.1

0.12.0-rc.2

0.13.0

0.13.0-rc.1

0.13.5-rc.7

0.13.6-rc.2

0.14.0

0.14.0-rc.1

0.14.0-rc.2

0.14.1

0.14.2

0.14.2-rc.1

0.14.3

0.15.0

0.15.0-rc.7

0.15.1

0.16.0

0.16.0-rc.1

0.16.0-rc.2

0.16.0-rc.3

0.16.0-rc.4

0.16.1

0.16.1-rc.1

0.16.2

0.16.2-rc.1

0.16.2-rc.2

0.16.2-rc.3

0.16.3

0.16.3-rc.1

0.16.5

0.17.0

0.17.0-rc.1

0.17.0-rc.3

0.17.0-rc.4

0.17.1

0.18.0

0.18.0-rc.1

0.18.0-rc.2

0.18.0-rc.3

0.18.0-rc.4

0.18.0-rc.5

0.18.0-rc.6

0.18.0-rc.8

0.18.1

0.18.1-rc.1

0.18.1-rc.10

0.18.1-rc.4

0.18.1-rc.9

0.18.4-beta.7

0.19.0

0.19.0-beta.7

0.19.0-rc.1

0.19.0-rc.10

0.19.0-rc.11

0.19.0-rc.12

0.19.0-rc.13

0.19.0-rc.14

0.19.0-rc.15

0.19.0-rc.16

0.19.0-rc.2

0.19.0-rc.3

0.19.0-rc.4

0.19.0-rc.5

0.19.0-rc.6

0.19.0-rc.7

0.19.0-rc.8

0.19.1-rc.1

0.19.1-rc.2

0.19.2

0.19.2-rc.1

0.19.2-rc.2

0.19.2-rc.4

0.19.2-rc.5

0.19.3

0.19.3-rc.1

0.19.4

0.19.4-beta.1

0.19.4-beta.3

0.19.4-beta.4

0.19.4-beta.5

0.19.4-beta.6

0.19.4-beta.7

0.19.4-beta.8

0.19.4-rc.1

0.19.4-rc.10

0.19.4-rc.11

0.19.4-rc.2

0.19.4-rc.3

0.19.4-rc.4

0.19.4-rc.5

0.19.4-rc.6

0.19.4-rc.7

0.19.4-rc.8

0.19.4-rc.9

0.19.5

0.19.5-alpha.1

0.19.5-alpha.2

0.19.5-alpha.3

0.19.6

0.19.6-beta.14

0.19.6-beta.15

0.19.6-beta.8

0.19.6-beta.9

0.19.7

0.19.7-beta.1

0.19.7-beta.2

0.19.8

0.19.8-beta.0

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

v0.*

v0.0.7.4

v0.0.8.1

v0.0.8.2

v0.0.8.3

v0.4.0.3

v0.5.10

v0.7.17

v0.7.18

v0.7.19

v0.7.20

v0.7.21

v0.7.22

v0.7.23

v0.7.24

v0.7.25

v0.7.26

v0.7.28

v0.7.29

v0.7.3

v0.7.30

v0.7.31

v0.7.32

v0.7.33

v0.7.34

v0.7.35

v0.7.36

v0.7.37

v0.7.38

v0.7.39

v0.7.4

v0.7.40

v0.7.41

v0.7.42

v0.7.43

v0.7.44

v0.7.46

v0.7.47

v0.7.48

v0.7.49

v0.7.5

v0.7.50

v0.7.52

v0.7.53

v0.7.54

v0.7.55

v0.7.56

v0.7.57

v0.7.59

v0.7.6

v0.7.61

v0.7.62

v0.7.63

v0.7.64

v0.7.7

v0.7.8

v0.8.0

v0.8.1

v0.8.10

v0.8.3

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25194.json"