Share
## https://sploitus.com/exploit?id=2D77F59B-BA7D-56D0-9944-A299490DE299
# CVE-2026-50131
Fedify incomplete SSRF mitigation after `GHSA-p9cg-vqcc-grcx`: `validatePublicUrl()` allowed special-use IPv4 ranges.
**Primary advisory:** [GHSA-xw9q-2mv6-9fr8](https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8)
**Official CVE record:** [CVE-2026-50131](https://vulners.com/cve/CVE-2026-50131)
**Researcher credit:** [@chaitanyagarware](https://github.com/chaitanyagarware)
## At a Glance
| Field | Value |
| --- | --- |
| CVE | `CVE-2026-50131` |
| GHSA | `GHSA-xw9q-2mv6-9fr8` |
| Project | `fedify-dev/fedify` |
| Packages | `@fedify/fedify`, `@fedify/vocab-runtime` |
| Ecosystems | npm, JSR |
| Severity | High |
| CVSS | 8.6, `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` |
| Weaknesses | `CWE-918`, `CWE-1286`, `CWE-1389` |
| Published | GitHub advisory: 2026-06-08; CVE.org: 2026-06-10 |
| NVD status | Present, `Deferred` as of 2026-07-09 |
| OSV status | Present |
## Summary
Fedify previously added public URL validation to mitigate SSRF and internal-network access. The follow-up issue was that the IPv4 validation logic still treated multiple special-use, reserved, multicast, benchmarking, documentation, and carrier-grade NAT ranges as public destinations.
Because `validatePublicUrl()` was used before outbound ActivityPub document and media fetching, the incomplete IP classification could bypass the intended SSRF protection boundary.
## Affected Versions
| Product | Affected |
| --- | --- |
| `@fedify/fedify` | `>= 0.11.2, = 1.10.0, = 2.0.0, = 2.1.0, = 2.2.0, = 2.1.0, = 2.2.0, < 2.2.4` |
## Fixed Versions
| Product | Fixed |
| --- | --- |
| `@fedify/fedify` | `1.9.12`, `1.10.11`, `2.0.19`, `2.1.15`, `2.2.4` |
| `@fedify/vocab-runtime` | `2.0.19`, `2.1.15`, `2.2.4` |
## Public Database Coverage
| Source | Status | Link |
| --- | --- | --- |
| GitHub repository advisory | Published | [GHSA-xw9q-2mv6-9fr8](https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8) |
| CVE.org / CVE Services | Published | [CVE-2026-50131](https://vulners.com/cve/CVE-2026-50131) |
| NVD | Present, Deferred | [NVD detail](https://nvd.nist.gov/vuln/detail/CVE-2026-50131) |
| OSV | Present | [OSV record](https://osv.dev/vulnerability/CVE-2026-50131) |
| CVEProject cvelistV5 | Present | [cvelistV5 JSON](https://github.com/CVEProject/cvelistV5/blob/main/cves/2026/50xxx/CVE-2026-50131.json) |
| CISA Vulnrichment | Present | [vulnrichment JSON](https://github.com/cisagov/vulnrichment/blob/develop/2026/50xxx/CVE-2026-50131.json) |
## Additional Public Mentions Found
- `fedify-dev/fedify` changelog references `GHSA-xw9q-2mv6-9fr8`.
- `fedify-dev/hollo` and `fedify-dev/botkit` changelogs reference the same advisory because they consume Fedify packages.
- `Patrowl/PatrowlHearsData` mirrors CVE and SSVC data for this ID.
- `sec-dojo-com/cve-poc` has a public page for `CVE-2026-50131`.
## Disclosure Note
This repository is a public index and portfolio landing page. It intentionally summarizes the vulnerability and links to authoritative records instead of copying full proof-of-concept exploit scripts.