PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50131 fedify-dev CVE debrief

CVE-2026-50131 is a HIGH-severity vulnerability in the Fedify library, affecting versions prior to 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4. The issue is an incomplete IPv4 validation logic, which could allow for Server-Side Request Forgery (SSRF) attacks. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. However, the function blocks common private and local ranges but still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations.

Vendor
fedify-dev
Product
fedify
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of the Fedify library, particularly those building federated server apps powered by ActivityPub, should be aware of this vulnerability. The issue affects versions prior to 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4.

Technical summary

The Fedify library, used for building federated server apps powered by ActivityPub, had an incomplete IPv4 validation logic. This logic, introduced in version 0.11.2, was intended to prevent Server-Side Request Forgery (SSRF) and internal network access. However, it was found that the `isValidPublicIPv4Address()` function did not correctly identify all non-public IPv4 destinations, potentially allowing SSRF attacks.

Defensive priority

HIGH

Recommended defensive actions

  • Update to a patched version (1.9.12, 1.10.11, 2.0.19, 2.1.15, or 2.2.4) of the Fedify library.
  • Review and update any custom IPv4 validation logic to ensure it correctly identifies non-public destinations.

Evidence notes

The CVE-2026-50131 vulnerability has a CVSS score of 8.6 and is classified as HIGH severity. The vulnerability was published on 2026-06-10T22:17:01.543Z and modified on 2026-06-11T16:16:24.323Z.

Official resources

CVE-2026-50131 was published on 2026-06-10T22:17:01.543Z and modified on 2026-06-11T16:16:24.323Z.