Lemmy Server-Side Request Forgery Vulnerability in ActivityPub Federation Dependency

A server-side request forgery (SSRF) vulnerability has been identified in Lemmy, a link aggregator and forum for the fediverse. This issue arises from a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. The vulnerability is present in Lemmy versions through 0.19.8 and in activitypub_federation versions through 0.6.2. The flaw allows users to bypass hardcoded URL path restrictions and security measures intended to prevent access to localhost services, enabling arbitrary GET requests to any host, port, and URL via a Webfinger request.

Impact

Exploitation of this vulnerability allows users to send GET requests to internal services, potentially targeting known vulnerabilities on the server's host.

Reproduction

To reproduce this vulnerability, send a Webfinger request with a manipulated 'resource' parameter that includes a domain resolving to a local IP or a blocked domain with a trailing dot. The request will bypass localhost restrictions and access internal services.