Discussion
Loading...

Post

  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
Fedify: an ActivityPub server framework
@fedify@hollo.social  ·  activity timestamp 2 months ago

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev

  • Copy link
  • Flag this post
  • Block
Log in

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.0-rc.3.1 no JS en
Automatic federation enabled
  • Explore
  • About
  • Members
  • Code of Conduct
Home
Login