Description
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
Recommendation
Update the webfinger.js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.8.0
- Patched version(s): 2.8.1
References
Related Issues
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
You might also like:
- Tags:
- npm
- webfinger.js
Anything's wrong? Let us know Last updated on August 01, 2025


