This vulnerability allows a user to perform an arbitrary GET request to any Host, Port and URL.
(, 2.8.0]
The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec, on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
If the address is in the format of a user address (user@host.com), the host will be anything after the first found @ symbol. Since no other test is done, an adversary may pass a specially crafted address such as user@localhost:7000/admin/restricted_page? and reach pages that would normally be out of reach.
This PoC assumes that there is a server on the machine listening on port 3000, which receives requests for WebFinger lookups on the address /api/v1/search_user, and then calls the lookup function in webfinger.js with the user passed as an argument. For the sake of the example we assume that the server configured webfinger.js with tls_only=false.
- Activate a local HTTP server listening to port 1234 with a “secret.txt” file:
python3 -m http.server 1234
- Run the following command:
curl "http://localhost:3000/api/v1/search_user?search=user@localhost:1234/secret.txt?"
- View the console of the Python’s HTTP server and see that a request for a “secret.txt?/.well-known/webfinger?resource=acct:user@localhost:1234/secret.txt?” file was performed.
No mitigations are supplied for this issue