Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-g8kd-efd5-tudd
Vulnerability ID VCID-g8kd-efd5-tudd
Aliases CVE-2024-39687
GHSA-p9cg-vqcc-grcx
Summary Server Side Request Forgery (SSRF) attack in Fedify At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a [Server Side Request Forgery attack](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery). You can learn more about SSRF attacks via [CWE-918](https://cwe.mitre.org/data/definitions/918.html)
Status Published
Exploitability 0.5
Weighted Severity 6.5
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2024-39687
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2024-39687
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-p9cg-vqcc-grcx
cvssv3.1 7.2 https://github.com/dahlia/fedify
cvssv4 6.9 https://github.com/dahlia/fedify
generic_textual MODERATE https://github.com/dahlia/fedify
cvssv3.1 7.2 https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
cvssv4 6.9 https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
generic_textual MODERATE https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
ssvc Track https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
cvssv3.1 7.2 https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
cvssv4 6.9 https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
generic_textual MODERATE https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
ssvc Track https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
cvssv3.1 7.2 https://github.com/dahlia/fedify/releases/tag/0.11.1
cvssv4 6.9 https://github.com/dahlia/fedify/releases/tag/0.11.1
generic_textual MODERATE https://github.com/dahlia/fedify/releases/tag/0.11.1
cvssv3.1 7.2 https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
cvssv3.1_qr MODERATE https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
cvssv4 6.9 https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
generic_textual MODERATE https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
ssvc Track https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
cvssv3.1 7.2 https://nvd.nist.gov/vuln/detail/CVE-2024-39687
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2024-39687
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-39687
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-39687
https://github.com/dahlia/fedify
https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
https://github.com/dahlia/fedify/releases/tag/0.11.1
CVE-2024-39687 https://nvd.nist.gov/vuln/detail/CVE-2024-39687
GHSA-p9cg-vqcc-grcx https://github.com/advisories/GHSA-p9cg-vqcc-grcx
GHSA-p9cg-vqcc-grcx https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/dahlia/fedify
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://github.com/dahlia/fedify
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T15:48:50Z/ Found at https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T15:48:50Z/ Found at https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/dahlia/fedify/releases/tag/0.11.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://github.com/dahlia/fedify/releases/tag/0.11.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T15:48:50Z/ Found at https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-39687
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-39687
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.23349
EPSS Score 0.00078
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:22:01.001471+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2024-39687.yml 38.6.0