WebFinger.js TypeScript Client Vulnerability in Silverbucket Product
CVE-2025-54590

6.9MEDIUM

Key Information:

Vendor

Silverbucket

Status
Webfinger.js
Vendor
CVE Published:
1 August 2025

What is CVE-2025-54590?

The WebFinger.js library, used for account checks in both browser and Node.js environments, contains a flaw in its lookup function. In versions 2.8.0 and earlier, it fails to adequately restrict access to localhost services, only verifying hosts that start with 'localhost' and end with a port. This oversight allows malicious users to exploit the library by crafting GET requests with manipulated host, path, and port parameters. Consequently, attackers could perform blind SSRF attacks, potentially querying services within the local network or the instance's host, posing significant security risks. This vulnerability has been addressed in version 2.8.1.

Affected Version(s)

webfinger.js < 2.8.1

References

https://github.com/silverbucket/webfinger.js/security/adv...
x_refsource_CONFIRM
https://github.com/silverbucket/webfinger.js/commit/b5f2f...
x_refsource_MISC
https://github.com/silverbucket/webfinger.js/releases/tag...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.