Release 1.0.14

fedify-dev · Jan 20, 2025 · fbfe4e1 · fbfe4e1
1 parent f196d84
commit fbfe4e1
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,9 +6,10 @@ Fedify changelog
 Version 1.0.14
 --------------
 
-To be released.
+Released on January 21, 2025.
 
  -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
 
      -  Fixed a security vulnerability where the `lookupWebFinger()` function
         had followed the infinite number of redirects, which could lead to
@@ -24,6 +25,8 @@ To be released.
         could lead to a SSRF attack.  Now it follows only the public network
         addresses.
 
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
+
 
 Version 1.0.13
 --------------

diff --git a/src/runtime/url.ts b/src/runtime/url.ts
@@ -1,3 +1,4 @@
+import type { LookupAddress } from "node:dns";
 import { lookup } from "node:dns/promises";
 import { isIP } from "node:net";
 
@@ -38,7 +39,12 @@ export async function validatePublicUrl(url: string): Promise<void> {
   }
   // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
   // and ensure that they are all public:
-  const addresses = await lookup(hostname, { all: true });
+  let addresses: LookupAddress[];
+  try {
+    addresses = await lookup(hostname, { all: true });
+  } catch {
+    addresses = [];
+  }
   for (const { address, family } of addresses) {
     if (
       family === 4 && !isValidPublicIPv4Address(address) ||