CVE-2026-33693: SSRF via 0.0.0.0 Bypass in activitypub-federation-rust v4_is_invalid() (CVSS 6.5 Moderate)
Keywords: SSRF, 0.0.0.0, IP validation bypass, activitypub-federation, Lemmy, Rust, ActivityPub
- Overview
- Vulnerability Details
- Technical Analysis
- Attack Chain
- Impact
- Remediation
- CVSS v3.1 Metrics
- Timeline
- References
- Contact
- Disclaimer
A Server-Side Request Forgery (SSRF) vulnerability exists in the activitypub-federation-rust library (used by Lemmy and 6+ downstream projects) due to an incomplete IP address validation check in the v4_is_invalid() function. The function fails to call is_unspecified(), allowing an attacker to bypass SSRF protections by targeting 0.0.0.0 — which maps to localhost on most systems.
- Package:
activitypub_federation(Rust/cargo) - Affected Versions: <= 0.7.1
- Fixed In: PR #162
The v4_is_invalid() function in src/utils.rs validates IPv4 addresses to block internal network access. It checks for loopback (127.0.0.0/8), private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and broadcast (255.255.255.255), but does not check for the unspecified address 0.0.0.0.
On most systems, 0.0.0.0 resolves to the loopback interface, granting the same access as 127.0.0.1.
Secondary Finding: A DNS Rebinding / TOCTOU vulnerability also exists where lookup_host() resolves a hostname and validates the IP, but a separate reqwest call performs a second DNS resolution — allowing an attacker to serve a safe IP first, then rebind to an internal IP on the second resolution.
fn v4_is_invalid(ip: &Ipv4Addr) -> bool {
ip.is_loopback()
|| ip.is_private()
|| ip.is_link_local()
|| ip.is_broadcast()
// MISSING: || ip.is_unspecified() <- 0.0.0.0 not blocked
}fn v4_is_invalid(ip: &Ipv4Addr) -> bool {
ip.is_loopback()
|| ip.is_private()
|| ip.is_link_local()
|| ip.is_broadcast()
|| ip.is_unspecified() // <- Now blocks 0.0.0.0
}+---------------------------------------------------+
| SSRF via 0.0.0.0 Bypass |
+---------------------------------------------------+
| |
| 1. Attacker hosts ActivityPub object with |
| URL pointing to http://0.0.0.0:<port>/path |
| |
| 2. Lemmy instance fetches the object via |
| activitypub-federation-rust |
| |
| 3. v4_is_invalid() checks IP address: |
| x is_loopback() -> false (not 127.x) |
| x is_private() -> false (not RFC1918) |
| x is_link_local() -> false (not 169.254.x) |
| x is_broadcast() -> false (not 255.x) |
| x is_unspecified() -> NOT CHECKED |
| Result: 0.0.0.0 PASSES validation |
| |
| 4. Request sent to 0.0.0.0 -> resolves to |
| localhost -> accesses internal services |
| |
| 5. Internal service data returned to attacker |
| via ActivityPub federation response |
| |
+---------------------------------------------------+
Downstream Exposure: The activitypub-federation-rust crate is used by 6+ projects in the Fediverse ecosystem:
| Project | Stars | Description |
|---|---|---|
| Lemmy | 13.7K+ | Link aggregator for the Fediverse |
| hatsu | -- | ActivityPub bridge |
| gill | -- | Git hosting with federation |
| ties | -- | Social networking |
| fediscus | -- | Federated discussions |
| fediverse-axum | -- | ActivityPub framework |
An attacker can:
- Access internal services (databases, admin panels, cloud metadata endpoints)
- Scan internal ports on the Lemmy/federation server
- Exfiltrate cloud credentials via metadata APIs
- Upgrade
activitypub-federationto a version containing the fix from PR #162 - Lemmy users: Apply the backport from lemmy#6411
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity | Low |
| Availability | None |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Score | 6.5 (Moderate) |
| Date | Event |
|---|---|
| 2026-03-11 | Vulnerability reported via GitHub PVRT |
| 2026-03-13 | Maintainer confirmed the finding |
| 2026-03-13 | Fix PR #162 submitted |
| 2026-03-13 | Advisory accidentally closed |
| 2026-03-16 | Advisory reopened |
| 2026-03-23 | CVE-2026-33693 assigned and advisory published |
- GHSA-q537-8fr5-cw35
- CVE-2026-33693
- Fix PR #162
- Lemmy Backport PR #6411
- CWE-918: Server-Side Request Forgery
- Website: snailsploit.com
- GitHub: @SnailSploit
- LinkedIn: /in/kaiaizen
This repository is published for educational and defensive purposes as part of responsible vulnerability disclosure. The vulnerability was reported through GitHub's Private Vulnerability Reporting (PVRT) process. No exploitation was performed against production systems. All testing was conducted in isolated environments.