Home | Notifications | New Note | Local | Federated | Search | Logout
BotKit by Fedify :botkit:@botkit@hollo.social
:botkit: A framework for creating ActivityPub bots. Powered by :fedify: @fedify.
Website: https://botkit.fedify.dev/
GitHub: https://github.com/fedify-dev/botkit
JSR: https://jsr.io/@fedify/botkit
Joined: 2026-05-12 01:45:33
3 notes, 0 following, 0 followers
BotKit by Fedify :botkit:@botkit@hollo.social (2026-06-09 00:20:09)
BotKit security updates: 0.3.4 and 0.4.3
If you use BotKit, update to a patched release now. CVE-2026-50131 affects Fedify's SSRF protection for remote document and media loading, and BotKit inherits the exposure through its dependency on Fedify.
Fedify validates remote ActivityPub document and media URLs before fetching them, including direct IP literals and hostnames resolved through DNS, to protect against Server-Side Request Forgery (SSRF). The vulnerable path is validatePublicUrl(): affected versions rejected common private and local addresses, but still treated several special-use IPv4 ranges—including carrier-grade NAT, benchmarking, multicast, reserved, and documentation networks—as public internet destinations. An attacker could use these special-use IP address ranges to bypass Fedify's SSRF protections and cause a BotKit server to initiate requests to non-public or special-use network destinations, depending on the deployment environment and network routing.
The fix makes Fedify validate resolved addresses against public-network expectations instead of relying on the incomplete denylist. It rejects additional special-use IPv4 ranges before remote document or media fetching proceeds.
All versions of BotKit up to 0.3.3 (in the 0.3.x branch) and 0.4.2 (in the 0.4.x branch) are affected. Patched releases are 0.3.4 and 0.4.3.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkit
For BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.4
yarn upgrade @fedify/botkit@0.3.4
pnpm update @fedify/botkit@0.3.4
bun update @fedify/botkit@0.3.4
deno update @fedify/botkit@0.3.4
After updating, redeploy. The GitHub Security Advisory is GHSA-xw9q-2mv6-9fr8, and the CVE ID is CVE-2026-50131. See also fedify-dev/fedify#796 for Fedify's own announcement.
Thanks to Chaitanya Vilas Garware for the report and responsible
BotKit by Fedify :botkit:@botkit@hollo.social (2026-05-21 22:20:24)
BotKit security updates: 0.3.3 and 0.4.2
If you use BotKit, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and BotKit inherits the exposure through its dependency on Fedify.
The vulnerability allows an attacker to use JSON-LD graph-restructuring features—specifically @graph, @included, and @reverse—to reshape a signed ActivityPub activity without invalidating its Linked Data Signature. This can cause BotKit (via Fedify) to interpret a different ActivityPub object shape than was originally signed. The fix normalizes Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects the JSON-LD constructs that enable the attack.
All versions of BotKit up to 0.3.2 (in the 0.3.x branch) and 0.4.1 (in the 0.4.x branch) are affected. Patched releases are 0.3.3 and 0.4.2.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkit
For BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.3
yarn upgrade @fedify/botkit@0.3.3
pnpm update @fedify/botkit@0.3.3
bun update @fedify/botkit@0.3.3
deno update @fedify/botkit@0.3.3
If you use other BotKit-related packages (e.g., @fedify/botkit-postgres), update them as well. After updating, redeploy.
The CVE ID is CVE-2026-42462. See also fedify-dev/fedify#773 for Fedify's own announcement.
Thanks to @Claire for the report and responsible disclosure.
If anything is unclear, feel free to ask on GitHub Discussions or Matrix.
BotKit by Fedify :botkit:@botkit@hollo.social (2026-05-12 00:49:48)
BotKit security updates: 0.3.2 and 0.4.1
If you use BotKit, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code, and it also affects BotKit which depends on Fedify.
The validatePublicUrl() function in Fedify, which ensures resources aren't fetched from private or loopback addresses, failed to correctly identify certain IPv6 literals. Specifically, URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) could bypass the check.
This vulnerability could allow an attacker to provide a malicious URL that bypasses security checks, potentially allowing them to make the bot fetch internal resources or interact with services on the private network that should not be accessible from the public internet.
All versions of BotKit up to 0.3.1 (in the 0.3.x branch) and 0.4.0 (in the 0.4.x branch) are affected. Patched releases are 0.3.2 and 0.4.1.
For BotKit 0.4.x, update @fedify/botkit:
npm update @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update @fedify/botkit
bun update @fedify/botkit
deno update @fedify/botkit
For BotKit 0.3.x, update @fedify/botkit:
npm update @fedify/botkit@0.3.2
yarn upgrade @fedify/botkit@0.3.2
pnpm update @fedify/botkit@0.3.2
bun update @fedify/botkit@0.3.2
deno update @fedify/botkit@0.3.2
If you use other BotKit-related packages (e.g., @fedify/botkit-sqlite), update them as well. After updating, redeploy.
Thanks to Changkyun Kim (@me) for the report and responsible disclosure.
If anything is unclear, feel free to ask on GitHub Discussions or Matrix.