Authentication Bypass in Fedify TypeScript Library Affects Multiple Versions
CVE-2025-54888
Currently unrated
What is CVE-2025-54888?
The Fedify TypeScript library, used for building federated server applications, is vulnerable to an authentication bypass that permits unauthenticated attackers to impersonate any ActivityPub actor. This issue arises in various versions where activities are processed without verifying if the signing key belongs to the claimed actor. The flaw allows any attacker to send forged activities signed with their own keys, leading to complete actor impersonation across all instances of Fedify. This vulnerability has been addressed in subsequent releases where affected versions have been fixed.