Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.

INFO

Published Date :

2025-08-09T01:31:53.319Z

Last Modified :

2025-08-11T13:48:53.546Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54888 vulnerability.

Vendors Products
Fedify Project
  • Fedify
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54888.

URL Resource
https://github.com/fedify-dev/fedify/commit/226d9b84dbec52172a70138bba8861454afde42b cve-icon cve-icon
https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability