NextGuard
UNKNOWNCVE-2026-33693

Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Platform

rust

Component

activitypub-federation-rust

Fixed in

0.7.0-beta.9

View on NVD

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.

How to fix

Actualice la biblioteca `activitypub-federation-rust` a la versión 0.7.0-beta.9 o superior. Esta versión corrige la vulnerabilidad SSRF al verificar correctamente la dirección IPv4 no especificada (0.0.0.0).

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-33693 — Vulnerability Details | NextGuard | NextGuard