Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jjm6-67ep-rfh2
Vulnerability ID VCID-jjm6-67ep-rfh2
Aliases CVE-2025-54888
GHSA-6jcc-xgcr-q3h4
Summary @fedify/fedify has Improper Authentication and Incorrect Authorization An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-287 Improper Authentication
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2025-54888
epss 0.00158 https://api.first.org/data/v1/epss?cve=CVE-2025-54888
cvssv4 8.7 https://github.com/fedify-dev/fedify
generic_textual HIGH https://github.com/fedify-dev/fedify
cvssv4 8.7 https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
generic_textual HIGH https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
ssvc Track https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
cvssv4 8.7 https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
generic_textual HIGH https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
ssvc Track https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2025-54888
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-54888
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-54888
https://github.com/fedify-dev/fedify
https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
CVE-2025-54888 https://nvd.nist.gov/vuln/detail/CVE-2025-54888
GHSA-6jcc-xgcr-q3h4 https://github.com/advisories/GHSA-6jcc-xgcr-q3h4
GHSA-6jcc-xgcr-q3h4 https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/fedify-dev/fedify
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T13:48:34Z/ Found at https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T13:48:34Z/ Found at https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-54888
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.36462
EPSS Score 0.00158
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:24:33.629763+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-54888.yml 38.6.0