GHSA-8xq3-w9fx-74rv: 
JavaScript vulnerability analysis and mitigation

The webfinger.js library (versions <= 2.8.0) contains a Blind Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-54590 and GHSA-8xq3-w9fx-74rv. The vulnerability was discovered by Ori Hollander of the JFrog Vulnerability Research team and was disclosed on July 27, 2025. The issue affects both browser and Node.js environments where the library's lookup function accepts user addresses for account checking without proper validation, allowing attackers to bypass localhost access restrictions (GitHub Advisory).

The vulnerability stems from insufficient validation in the lookup function when processing user-provided addresses. The function extracts the host from an address string (e.g., user@host) by taking the substring after the '@' symbol without proper validation. The only check for localhost is performed when selecting between HTTP and HTTPS protocols, testing only for hosts that start with 'localhost' and end with a port. This allows attackers to bypass restrictions using alternative localhost representations (e.g., '127.0.0.1') or by including path components in the host portion. The vulnerability has been assigned CWE-918 (Server-Side Request Forgery) and received a CVSS v4.0 base score of 6.9 (Moderate) (GitHub Advisory, AttackerKB).

The vulnerability allows attackers to cause servers using the library to send GET requests with controlled host, path, and port parameters to query services running on the instance's host or local network. This enables potential exploitation of blind SSRF gadgets targeting known vulnerable local services running on the victim's machine. The impact is particularly concerning for ActivityPub applications running in production environments (GitHub Advisory).

The vulnerability has been fixed in version 2.8.1 of webfinger.js. The patch includes comprehensive SSRF protection measures including private address blocking, DNS resolution protection, path injection prevention, and redirect validation. The fix follows ActivityPub security guidelines and implements proper validation of user-provided addresses. Users should upgrade to version 2.8.1 or later to receive these security improvements (GitHub Release, Security Fix).