CVE-2026-34148 Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or...

CVE-2026-34148

CVE-2026-34148 – Fedify resource exhaustion via unbounded redirects . Affected: @fedify/fedify (Fedify) before versions 1.9.6, 1.10.5, 2.0.8, 2.1.1. Description in connected docs confirms that the remote and authenticated document loaders recursively follow HTTP 3xx redirects without a maximum re...

Fedify 安全漏洞

Fedify is a TypeScript library developed by Hong Minhee. It is used to build federated server applications that support ActivityPub and other standards. Versions of Fedify prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1 have security vulnerabilities due to the lack of limit on HTTP redirection attempts,...

PT-2026-30656

Name of the Vulnerable Software and Affected Versions: Fedify versions prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1 Description: Fedify does not enforce a maximum redirect count or visited-URL loop detection when following HTTP redirects in its remote and authenticated document loaders. An attacker...

Regular Expression Denial Of Service (ReDoS)

@fedify/fedify is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to nested quantifiers in the HTML parsing regex within the document loader, which allows an attacker to trigger catastrophic backtracking by sending specially crafted HTML responses...

Hollo 安全漏洞

Hollo is a micro-blogging software developed by Fedify. Versions of Hollo prior to 0.6.20 and 0.7.2 contained security vulnerabilities. These vulnerabilities were due to the exposure of private messages and posts visible only to followers through the ActivityPub inbox endpoint, which could lead t...

CVE-2025-23221

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security...

CVE-2024-39687

Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has...

CVE-2025-68475

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Fedify's document loader. The HTML parsing regex at...

CVE-2025-68475

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Fedify's document loader. The HTML parsing regex at...

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2025-68475 via @fedify/fedify (>=0.10.2 <=1.5.0)

@fedify/fedify NPM version =0.10.2, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2025-68475 Source advisory: OSV:GHSA-RCHF-XWX2-HM93...

@fedify/botkit (>=0.3.0-dev.125 <=0.3.0-dev.131) potentially affected by CVE-2025-68475 via @fedify/fedify (=1.8.1-dev.1262)

@fedify/fedify NPM version =1.8.1-dev.1262 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.3.0-dev.125, =0.3.0-dev.131 Source cves: CVE-2025-68475 Source advisory: OSV:GHSA-RCHF-XWX2-HM93...

EUVD-2025-204741

Fedify has ReDoS Vulnerability in HTML Parsing Regex...

Regular Expression Denial of Service (ReDoS)

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via docloader.ts. An attacker can cause the event loop to become unresponsive by supplying a specially crafted HTML payload that triggers...

@de-otio/trellis (>=0.4.0 <=0.7.1), @fedify/amqp (>=0.1.0 <=0.2.0-dev.12) +6 more potentially affected by CVE-2025-68475 via @fedify/fedify (>=1.10.0 <=1.5.0)

@fedify/fedify NPM version =1.10.0, =0.4.0, =0.1.0, =0.3.0, =0.3.0, =0.1.0, =0.2.0, =0.0.1, =0.1.0, =1.1.20 Source cves: CVE-2025-68475 Source advisory: SNYK:JS-FEDIFYFEDIFY-14552161...

@fedify/botkit (>=0.3.0-dev.125 <=0.3.0-dev.131) potentially affected by CVE-2025-68475 via @fedify/fedify (=1.8.1-dev.1262)

@fedify/fedify NPM version =1.8.1-dev.1262 is affected by a known vulnerability. The following packages have a transitive dependency on @fedify/fedify and may be impacted: - @fedify/botkit =0.3.0-dev.125, =0.3.0-dev.131 Source cves: CVE-2025-68475 Source advisory: SNYK:JS-FEDIFYFEDIFY-14552161...

GHSA-RCHF-XWX2-HM93 Fedify has ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! 👋 Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service ReDoS vulnerability that I'd like to report. I hope this helps improve the project's security. ---...

Fedify has ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! 👋 Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service ReDoS vulnerability that I'd like to report. I hope this helps improve the project's security. ---...

CVE-2025-68475 Fedify has ReDoS Vulnerability in HTML Parsing Regex

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Fedify's document loader. The HTML parsing regex at...

CVE-2025-68475 Fedify has ReDoS Vulnerability in HTML Parsing Regex

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Fedify's document loader. The HTML parsing regex at...