Lucene search
K

94 matches found

Github Security Blog
Github Security Blog
added 2026/05/26 11:38 p.m.18 views

Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

7CVSS5.4AI score0.00171EPSS
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/05/26 11:38 p.m.7 views

@fedify/botkit (>=0.4.0-dev.177 <=0.4.0-dev.181), @fedify/botkit-sqlite (>=0.4.0-dev.177 <=0.4.0-dev.181) potentially affected by CVE-2026-42462 via @fedify/fedify (=1.10.0)

@fedify/fedify NPM version =1.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.4.0-dev.177, =0.4.0-dev.177, =0.4.0-dev.181 Source cves: CVE-2026-42462 Source advisory: OSV:GHSA-9RFG-V8G9-9367...

7CVSS5.4AI score0.00171EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/26 11:38 p.m.7 views

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2026-42462 via @fedify/fedify (>=1.10.0 <=1.9.0-dev.1516)

@fedify/fedify NPM version =1.10.0, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.2.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2026-42462 Source advisory: SNYK:JS-FEDIFYFEDIFY-16895732...

7CVSS5.4AI score0.00171EPSS
Exploits0
Snyk
Snyk
added 2026/04/07 6:4 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the recursive handling of HTTP redirects in the remote and authenticated document loader. An attacker can exhaust server...

8.7CVSS5.8AI score0.00551EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/07 6:4 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview @fedify/vocab-runtime is a Runtime library for code-generated Activity Vocabulary APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the recursive handling of HTTP redirects in the remote and authenticated document loader...

8.7CVSS5.8AI score0.00551EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.9 views

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (>=2.0.0-dev.100 <=2.0.7)

@fedify/vocab-runtime NPM version =2.0.0-dev.100, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.20 Source cves: CVE-2026-34148 Source advisory: SNYK:JS-FEDIFYVOCABRUNTIME-15928877...

7.5CVSS5.7AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.6 views

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2026-34148 via @fedify/fedify (>=0.10.2 <=1.9.2)

@fedify/fedify NPM version =0.10.2, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2026-34148 Source advisory: OSV:GHSA-GM9M-GWC4-HWGP...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.9 views

@fedify/botkit (>=0.4.0-dev.184 <=0.4.0-dev.185), @fedify/botkit-sqlite (>=0.4.0-dev.184 <=0.4.0-dev.185) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (=2.1.0)

@fedify/vocab-runtime NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/vocab-runtime and may be impacted: - @fedify/botkit =0.4.0-dev.184, =0.4.0-dev.184, =0.4.0-dev.185 - @fedify/cli =2.1.0 - @fedify/fedify =2.1.0 -...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.12 views

@fedify/botkit (>=0.4.0-dev.184 <=0.4.0-dev.185), @fedify/botkit-sqlite (>=0.4.0-dev.184 <=0.4.0-dev.185) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (=2.1.0)

@fedify/vocab-runtime NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/vocab-runtime and may be impacted: - @fedify/botkit =0.4.0-dev.184, =0.4.0-dev.184, =0.4.0-dev.185 - @fedify/cli =2.1.0 - @fedify/fedify =2.1.0 -...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.5 views

@fedify/botkit (>=0.4.0-dev.184 <=0.4.0-dev.185), @fedify/botkit-sqlite (>=0.4.0-dev.184 <=0.4.0-dev.185) +1 more potentially affected by CVE-2026-34148 via @fedify/fedify (=2.1.0)

@fedify/fedify NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.4.0-dev.184, =0.4.0-dev.184, =0.4.0-dev.185 - @fedify/cli =2.1.0 Source cves: CVE-2026-34148 Source advisory:...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.7 views

@fedify/botkit (>=0.4.0-dev.184 <=0.4.0-dev.185), @fedify/botkit-sqlite (>=0.4.0-dev.184 <=0.4.0-dev.185) +1 more potentially affected by CVE-2026-34148 via @fedify/fedify (=2.1.0)

@fedify/fedify NPM version =2.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.4.0-dev.184, =0.4.0-dev.184, =0.4.0-dev.185 - @fedify/cli =2.1.0 Source cves: CVE-2026-34148 Source advisory:...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.6 views

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +1 more potentially affected by CVE-2026-34148 via @fedify/fedify (>=2.0.0 <=2.0.7)

@fedify/fedify NPM version =2.0.0, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.20 Source cves: CVE-2026-34148 Source advisory: OSV:GHSA-GM9M-GWC4-HWGP...

7.5CVSS5.7AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.6 views

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +1 more potentially affected by CVE-2026-34148 via @fedify/fedify (>=2.0.0 <=2.0.7)

@fedify/fedify NPM version =2.0.0, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.20 Source cves: CVE-2026-34148 Source advisory: SNYK:JS-FEDIFYFEDIFY-15928876...

7.5CVSS5.7AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.7 views

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2026-34148 via @fedify/fedify (>=1.10.0 <=1.9.2)

@fedify/fedify NPM version =1.10.0, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.2.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2026-34148 Source advisory: SNYK:JS-FEDIFYFEDIFY-15928876...

7.5CVSS5.8AI score0.00551EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/07 6:4 p.m.7 views

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (>=2.0.0-dev.100 <=2.0.7)

@fedify/vocab-runtime NPM version =2.0.0-dev.100, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.20 Source cves: CVE-2026-34148 Source advisory: OSV:GHSA-GM9M-GWC4-HWGP...

7.5CVSS5.7AI score0.00551EPSS
Exploits1
EUVD
EUVD
added 2026/04/07 6:4 p.m.3 views

EUVD-2026-19295

Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution...

7.5CVSS5.9AI score0.00551EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.3 views

CVE-2026-34148

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or...

7.5CVSS6AI score0.00551EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 4:16 p.m.4 views

CVE-2026-34148

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or...

7.5CVSS0.00551EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/04/06 3:6 p.m.1 views

CVE-2026-34148 Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or...

7.5CVSS6AI score0.00551EPSS
Exploits1References5
CVE
CVE
added 2026/04/06 3:6 p.m.17 views

CVE-2026-34148

CVE-2026-34148 – Fedify resource exhaustion via unbounded redirects . Affected: @fedify/fedify (Fedify) before versions 1.9.6, 1.10.5, 2.0.8, 2.1.1. Description in connected docs confirms that the remote and authenticated document loaders recursively follow HTTP 3xx redirects without a maximum re...

7.5CVSS6AI score0.00551EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder