CVE-2025-25194

Server-Side Request Forgery (SSRF) in activitypub_federation

Description

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available.

Category

4.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Affected: LemmyNet lemmy
Published at:
Updated at:

References

Link Tags
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-7723-35v7-qcxw

Frequently Asked Questions

What is the severity of CVE-2025-25194?
CVE-2025-25194 has been scored as a medium severity vulnerability.
How to fix CVE-2025-25194?
To fix CVE-2025-25194, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-25194 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-25194 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-25194?
CVE-2025-25194 affects LemmyNet lemmy.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.