@joeyh posted about two security vulnerabilities he uncovered http://joeyh.name/blog/entry/two_security_holes_and_a_new_library/
Notably the ActivityPub appendix warns about these kinds of security vulnerabilities: don't fetch from uri schemes you don't know (be sure your http lib doesn't accept file://) and don't fetch from localhost (though sadly it's hard not to do this one... "localhost-only" is mostly doomed).
But Joey's post also points out that even if you filter out the scheme and localhost yourself, redirects may bite you
@joeyh If you're an ActivityPub implementor, you should *make sure your software is not vulnerable to these kinds of attacks*. The redirect one is especially tricky.
@joeyh once again the ocap people are right that "perimeter security is eggshell security"
(This is also why CORS is a failed security model)
@cwebber localhost only is not good enough, and the full IP blacklist is quite hard (especially considering IPV6, 4-in-6 etc).
Remember the guy who made his garage door respond to GET requests..