Description
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
Recommendation
Update the webfinger.js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.8.0
- Patched version(s): 2.8.1
References
Related Issues
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- smartbanner.js rel noopener vulnerability - CVE-2025-25300
- @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
- Tags:
- npm
- webfinger.js
Anything's wrong? Let us know Last updated on August 01, 2025