<p>We have released <a href="/tags/security/" rel="tag">#security</a> updates (<a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow">1.0.14</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow">1.1.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow">1.2.11</a>, <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow">1.3.4</a>) to address <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow">CVE-2025-23221</a>, a <a href="/tags/vulnerability/" rel="tag">#vulnerability</a> in <a href="/tags/fedify/" rel="tag">#Fedify</a>'s <a href="/tags/webfinger/" rel="tag">#WebFinger</a> implementation. We recommend all users update to the latest version of their respective release series immediately.</p><p>The Vulnerability</p><p>A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:</p><p>Perform denial of service attacks through infinite redirect loops<br>Execute server-side request forgery (<a href="/tags/ssrf/" rel="tag">#SSRF</a>) attacks via redirects to private network addresses<br>Access unintended URL schemes through redirect manipulation</p><p>Fixed Versions</p><p>1.3.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.3.4" rel="nofollow">1.3.4</a><br>1.2.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.2.11" rel="nofollow">1.2.11</a><br>1.1.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.1.11" rel="nofollow">1.1.11</a><br>1.0.x series: Update to <a href="https://github.com/dahlia/fedify/releases/tag/1.0.14" rel="nofollow">1.0.14</a></p><p>Changes</p><p>The security updates implement the following fixes:</p><p>Added a maximum redirect limit (5) to prevent infinite redirect loops<br>Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)<br>Blocked redirects to private network addresses to prevent SSRF attacks</p><p>How to Update</p><p>To update to the latest secure version:</p><p># For npm usersnpm update @fedify/fedify# For Deno usersdeno add jsr:@fedify/fedify</p><p>We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.</p><p>For more details about this vulnerability, please refer to our <a href="https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx" rel="nofollow">security advisory</a>.</p><p>If you have any questions or concerns, please don't hesitate to reach out through our <a href="https://github.com/dahlia/fedify/discussions" rel="nofollow">GitHub Discussions</a>, join our <a href="https://matrix.to/#/#fedify:matrix.org" rel="nofollow">Matrix chat space</a>, or our <a href="https://discord.gg/bhtwpzURwd" rel="nofollow">Discord server</a>.</p>
vulnerability
<p>🔒 Security Update for BotKit Users</p><p>We've released <a href="/tags/security/" rel="tag">#security</a> patch versions <a href="https://github.com/fedify-dev/botkit/releases/tag/0.1.2" rel="nofollow">BotKit 0.1.2</a> and <a href="https://github.com/fedify-dev/botkit/releases/tag/0.2.2" rel="nofollow">0.2.2</a> to address <a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4" rel="nofollow">CVE-2025-54888</a>, a security <a href="/tags/vulnerability/" rel="tag">#vulnerability</a> discovered in <a href="/tags/fedify/" rel="tag">#Fedify</a>. These updates incorporate the latest patched version of Fedify to ensure your bots remain secure.</p><p>We strongly recommend all <a href="/tags/botkit/" rel="tag">#BotKit</a> users update to the latest patch version immediately. Thank you for keeping the <a href="/tags/fediverse/" rel="tag">#fediverse</a> safe! 🛡️</p><p><a href="/tags/fedidev/" rel="tag">#fedidev</a></p>
<p>We've released <a href="/tags/security/" rel="tag">#security</a> updates for <a href="/tags/hollo/" rel="tag">#Hollo</a> (<a href="https://github.com/fedify-dev/hollo/releases/tag/0.4.12" rel="nofollow">0.4.12</a>, <a href="https://github.com/fedify-dev/hollo/releases/tag/0.5.7" rel="nofollow">0.5.7</a>, and <a href="https://github.com/fedify-dev/hollo/releases/tag/0.6.6" rel="nofollow">0.6.6</a>) to address a <a href="/tags/vulnerability/" rel="tag">#vulnerability</a> in the underlying <a href="/tags/fedify/" rel="tag">#Fedify</a> framework. These updates incorporate the latest Fedify security patches that fix <a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4" rel="nofollow">CVE-2025-54888</a>.</p><p>We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.</p><p>Update Instructions:</p><p>Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”<br>Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers<br>Manual installations: Run git pull to get the latest code, then pnpm install and restart your service</p>