Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-54888
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-09 Aug, 2025 | 01:31
Updated At-04 Feb, 2026 | 22:13
Rejected At-
▼CVE Numbering Authority (CNA)
@fedify/fedify: Improper Authentication and Incorrect Authorization

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.

Affected Products
Vendor
fedify-dev
Product
fedify
Versions
Affected
  • < 1.3.20
  • >= 1.4.0-dev.585, < 1.4.13
  • >= 1.5.0-dev.636, < 1.5.5
  • >= 1.6.0-dev.754, < 1.6.8
  • >= 1.7.0-pr.251.885, < 1.7.9
  • >= 1.8.0-dev.909, < 1.8.5
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
x_refsource_CONFIRM
https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
x_refsource_MISC
Hyperlink: https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found