Lemmy ActivityPub Federation Library Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Lemmy ActivityPub federation library, specifically in versions prior to 0.7.0-beta.9. The issue arises in the 'v4_is_invalid()' function within 'src/utils.rs', which fails to validate 'Ipv4Addr::UNSPECIFIED' (0.0.0.0). This oversight allows an unauthenticated attacker controlling a remote domain to bypass the SSRF protections implemented in response to CVE-2025-25194. Exploitation of this vulnerability enables access to localhost services on the target server.

Impact

Exploitation of this vulnerability bypasses the SSRF protection for all ActivityPub federation traffic, allowing access to internal services on localhost and cloud instance metadata via DNS rebinding techniques. This vulnerability affects Lemmy and over six other dependent projects.

Reproduction

The vulnerability can be reproduced by sending a Webfinger request to a domain that resolves to 0.0.0.0. The 'v4_is_invalid()' function will incorrectly validate this address as safe, allowing the request to bypass localhost protections and access services running on the local machine.

Remediation

Users should update to Lemmy version 0.7.0-beta.9 or later, where this vulnerability has been patched.