Incomplete IPv4 validation in the Fedify library enables Server-Side Request Forgery, allowing attackers to target internal network resources.

This is a Server-Side Request Forgery (SSRF) vulnerability caused by flawed logic in the isValidPublicIPv4Address() function. The function fails to properly filter special-use, reserved, and internal IP ranges, allowing attackers to force the server to initiate requests to unauthorized internal destinations.

The CVSS score of 8.6 highlights the critical nature of this SSRF flaw. An attacker can use this vulnerability to probe internal network infrastructure, access sensitive internal metadata services, or interact with services not intended for public access, potentially leading to unauthorized data exposure.

Immediate Action: Update Fedify to the patched versions: 1.9.12, 1.10.11, 2.0.19, 2.1.15, or 2.2.4.

Proactive Monitoring: Monitor outgoing server traffic for requests directed toward internal or restricted IP ranges originating from the Fedify application.

Compensating Controls: Implement strict egress filtering at the network level to prevent the server from initiating connections to sensitive internal segments.

Public Exploit Available: null

Developers and administrators utilizing the Fedify library must apply the necessary updates to their project dependencies immediately. The ability to bypass SSRF protections poses a significant threat to internal network security and should be addressed without delay.