Wiz
Vulnerability DatabaseCVE-2025-54590

CVE-2025-54590
JavaScript vulnerability analysis and mitigation

Overview

The CVE-2025-54590 vulnerability affects webfinger.js, a TypeScript-based WebFinger client that runs in both browsers and Node.js environments, in versions 2.8.0 and below. The vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team and disclosed on July 28, 2025. This is a Blind Server-Side Request Forgery (SSRF) vulnerability that allows attackers to make unauthorized requests to internal networks and localhost services (GitHub Advisory, Debian Tracker).

Technical details

The vulnerability exists in the lookup function which processes user addresses for account checking. The function fails to properly validate host addresses, allowing access to localhost and LAN addresses (such as 192.168.x.x). The only localhost check performed is for protocol selection (HTTP/HTTPS) and only tests if the host starts with "localhost" and ends with a port. This check can be bypassed using alternative localhost representations like "127.0.0.1" or malformed addresses. Additionally, the host extraction logic allows path injection by accepting any content after the @ symbol in user addresses, enabling access to arbitrary paths beyond the intended "/.well-known/" directory (GitHub Advisory).

Impact

The vulnerability allows attackers to cause servers using the library to send GET requests with controlled host, path, and port parameters to query services running on the instance's host or local network. This can be exploited to execute Blind-SSRF attacks targeting vulnerable local services running on the victim's machine. The issue is particularly concerning for ActivityPub applications as it violates the security considerations specified in the ActivityPub specification (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in version 2.8.1 of webfinger.js. The fix includes comprehensive SSRF protection that blocks private networks and validates redirects by default. The update implements proper validation of host addresses, prevents access to private IP ranges, and includes DNS resolution protection in Node.js environments to prevent attacks using domains that resolve to private IP addresses (GitHub Release).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-w5fx-fh39-j5rwHIGH8.6
  • JavaScriptJavaScript
  • @openai/codex
NoYesSep 19, 2025
CVE-2025-59417MEDIUM6.8
  • JavaScriptJavaScript
  • @lobehub/chat
NoYesSep 18, 2025
CVE-2025-59717MEDIUM5.4
  • JavaScriptJavaScript
  • @digitalocean/do-markdownit
NoNoSep 19, 2025
CVE-2025-10619MEDIUM5.3
  • JavaScriptJavaScript
  • @sequa-ai/sequa-mcp
NoYesSep 17, 2025
CVE-2025-59427LOW2.9
  • JavaScriptJavaScript
  • @cloudflare/vite-plugin
NoYesSep 19, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo