CVE-2025-54590

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-54590

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54590.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54590

Aliases

GHSA-8xq3-w9fx-74rv

Published

2025-08-01T18:03:41.619Z

Modified

2026-04-10T05:30:38.585441Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

webfinger.js is vulnerable to Blind SSRF attacks through localhost

Details

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with "localhost" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54590.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/silverbucket/webfinger.js

Affected ranges

Type: GIT
Repo: https://github.com/silverbucket/webfinger.js
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b5f2f2c957297d25f4d76072963fccaee2e3095a

Type: GIT
Repo: https://github.com/silverbucket/webfinger.js
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c01379e671123d03732a5b5568b34256c79aad02

Affected versions

v0.*

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v1.*

v1.0.1

v1.0.2

v1.1.1

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.1

v2.8.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54590.json"