BotKit security updates: 0.3.2 and 0.4.1 #21
dahlia
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
If you use BotKit, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code, and it also affects BotKit which depends on Fedify.
The
validatePublicUrl()function in Fedify, which ensures resources aren't fetched from private or loopback addresses, failed to correctly identify certain IPv6 literals. Specifically, URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals (e.g.,http://[::ffff:127.0.0.1]/) could bypass the check.This vulnerability could allow an attacker to provide a malicious URL that bypasses security checks, potentially allowing them to make the bot fetch internal resources or interact with services on the private network that should not be accessible from the public internet.
All versions of BotKit up to 0.3.1 (in the 0.3.x branch) and 0.4.0 (in the 0.4.x branch) are affected. Patched releases are 0.3.2 and 0.4.1.
For BotKit 0.4.x, update @fedify/botkit:
For BotKit 0.3.x, update @fedify/botkit:
If you use other BotKit-related packages (e.g.,
@fedify/botkit-sqlite), update them as well. After updating, redeploy.Thanks to @comfuture for the report and responsible disclosure.
If anything is unclear, feel free to ask on GitHub Discussions or Matrix.
Beta Was this translation helpful? Give feedback.
All reactions