Description
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
Recommendation
Update the webfinger.js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.8.0
- Patched version(s): 2.8.1
References
Related Issues
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Tags:
- npm
- webfinger.js
Anything's wrong? Let us know Last updated on August 01, 2025