Description
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
Recommendation
Update the webfinger.js package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.8.0
- Patched version(s): 2.8.1
References
Related Issues
- Prototype Pollution in jquery-deparam - CVE-2021-20087
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Langchain Path Traversal vulnerability - CVE-2024-7774
- Tags:
- npm
- webfinger.js
Anything's wrong? Let us know Last updated on August 01, 2025