@joeyh posted about two security vulnerabilities he uncovered http://joeyh.name/blog/entry/two_security_holes_and_a_new_library/

Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).

But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you