webfinger.js Blind Server-Side Request Forgery Vulnerability

A blind Server-Side Request Forgery (SSRF) vulnerability has been identified in webfinger.js, a TypeScript-based WebFinger client for browsers and Node.js. This issue affects versions 2.8.0 and prior. The vulnerability arises because the lookup function allows user-provided addresses for account verification without properly restricting access to localhost services in production, as required by the ActivityPub specification. The library only checks for 'localhost' in a limited way, leaving it vulnerable to exploitation by sending GET requests to local or network services, potentially accessing restricted resources.

Impact

Exploitation of this vulnerability allows for blind SSRF attacks, where an attacker can make the server send requests to internal services or localhost, potentially accessing sensitive information or exploiting other vulnerabilities.

Reproduction

To reproduce this vulnerability, first set up a local HTTP server on port 1234 that serves a file, such as 'secret.txt'. Then, send a request to a server running webfinger.js on port 3000, using the WebFinger lookup endpoint. Include a crafted user address that points to the local server and the file being served. The webfinger.js library will process the request and, due to the vulnerability, access the specified file through the crafted URL, demonstrating the SSRF exploit.

Remediation

Users can update to webfinger.js version 2.8.1, which addresses the SSRF vulnerability by blocking private addresses and localhost access in production environments, in accordance with ActivityPub security guidelines.