diff --git a/packages/backend/src/remote/activitypub/request.ts b/packages/backend/src/remote/activitypub/request.ts
index 6e2a0a815..4904357d3 100644
--- a/packages/backend/src/remote/activitypub/request.ts
+++ b/packages/backend/src/remote/activitypub/request.ts
@@ -118,7 +118,12 @@ export async function signedGet(_url: string, user: { id: User['id'] }): Promise
 		if (res.status >= 300 && res.status < 400) {
 			// Have been redirected, need to make a new signature.
 			// Use Location header and fetched URL as the base URL.
-			url = new URL(res.headers.get('Location'), url).href;
+			let newUrl = new URL(res.headers.get('Location'), url);
+			// Check that we have not been redirected to a different host.
+			if (newUrl.host !== new URL(url).host) {
+				throw new Error('cross-origin redirect not allowed');
+			}
+			url = newUrl.href;
 		} else {
 			if (!isActivitypub(res.headers.get('Content-Type'))) {
 				throw new Error('invalid response content type');