@fedify/botkit (>=0.4.0-dev.184 <=0.4.0-dev.185), @fedify/botkit-sqlite (>=0.4.0-dev.184 <=0.4.0-dev.185) +1 more potentially affected by CVE-2026-34148 via @fedify/fedify (=2.1.0)

@fedify/fedify NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.4.0-dev.184, =0.4.0-dev.184, =0.4.0-dev.185 - @fedify/cli =2.1.0 Source cves: CVE-2026-34148 Source advisory:...

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2026-34148 via @fedify/fedify (>=1.10.0 <=1.9.2)

@fedify/fedify NPM version =1.10.0, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.2.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2026-34148 Source advisory: SNYK:JS-FEDIFYFEDIFY-15928876...

Allocation of Resources Without Limits or Throttling

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the recursive handling of HTTP redirects in the remote and authenticated document loader. An attacker can exhaust server...

CVE-2025-68475

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Fedify's document loader. The HTML parsing regex at...

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2025-68475 via @fedify/fedify (>=1.10.0 <=1.5.0)

@fedify/fedify NPM version =1.10.0, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.2.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2025-68475 Source advisory: SNYK:JS-FEDIFYFEDIFY-14552161...

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2025-68475 via @fedify/fedify (>=0.10.2 <=1.5.0)

@fedify/fedify NPM version =0.10.2, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2025-68475 Source advisory: OSV:GHSA-RCHF-XWX2-HM93...

@fedify/amqp (=0.2.0-dev.12), @fedify/postgres (>=0.3.0 <=0.3.0-dev.22) +1 more potentially affected by CVE-2025-54888 via @fedify/fedify (>=1.5.0-dev.732 <=1.5.0)

@fedify/fedify NPM version =1.5.0-dev.732, =0.3.0, =0.4.0, =0.4.0-dev.19 Source cves: CVE-2025-54888 Source advisory: SNYK:JS-FEDIFYFEDIFY-11735306...

Improper Authentication

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Improper Authentication via the handleInboxInternal function in the federation/handler.ts file. An attacker can impersonate any actor across all instances by sending forged activities...

@fedify/amqp (=0.2.0-dev.12), @fedify/postgres (>=0.3.0 <=0.3.0-dev.22) +1 more potentially affected by CVE-2025-54888 via @fedify/fedify (>=1.5.0-dev.732 <=1.5.0)

@fedify/fedify NPM version =1.5.0-dev.732, =0.3.0, =0.4.0, =0.4.0-dev.19 Source cves: CVE-2025-54888 Source advisory: OSV:GHSA-6JCC-XGCR-Q3H4...

Server-Side Request Forgery (SSRF)

Fedify is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the Webfinger mechanism, allowing attackers to perform GET requests to internal resources, cause denial of service via infinite loops, or execute blind SSRF attacks...

CVE-2025-23221 Fedify has an Infinite loop and Blind SSRF found inside the Webfinger mechanism

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...