CVE-2025-54888: 
JavaScript vulnerability analysis and mitigation

CVE-2025-54888 affects Fedify, a TypeScript library for building federated server apps powered by ActivityPub. The vulnerability was discovered and disclosed on August 8, 2025. The affected versions include versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8, and 1.8.0-dev.909 through 1.8.4. This authentication bypass vulnerability allows unauthenticated attackers to impersonate any ActivityPub actor (GitHub Advisory).

The vulnerability exists in the handleInboxInternal function within fedify/federation/handler.ts. The critical flaw lies in the order of operations where routeActivity() is called before authentication verification. The authentication check (doesActorOwnKey) occurs after the activity has already been processed or queued, allowing attackers to bypass authentication. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability enables complete impersonation of any ActivityPub actor across all Fedify instances. Attackers can send fake posts/messages, create/remove follows, and boost/share content as any user, leading to a complete compromise of the federation trust model. While the vulnerability affects all Fedify instances, it does not propagate to other ActivityPub implementations like Mastodon that properly validate before processing (GitHub Advisory).

The vulnerability has been fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. The fix ensures that authentication verification is performed before activity processing to prevent actor impersonation attacks (GitHub Advisory, GitHub Commit).