WebFinger.js TypeScript Client Vulnerability in Silverbucket Product
CVE-2025-54590
6.9MEDIUM
What is CVE-2025-54590?
The WebFinger.js library, used for account checks in both browser and Node.js environments, contains a flaw in its lookup function. In versions 2.8.0 and earlier, it fails to adequately restrict access to localhost services, only verifying hosts that start with 'localhost' and end with a port. This oversight allows malicious users to exploit the library by crafting GET requests with manipulated host, path, and port parameters. Consequently, attackers could perform blind SSRF attacks, potentially querying services within the local network or the instance's host, posing significant security risks. This vulnerability has been addressed in version 2.8.1.
Affected Version(s)
webfinger.js < 2.8.1