VulnerableCode Package Details - pkg:npm/%40fedify/fedify@0.10.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-k66d-t856-nqga Aliases: CVE-2026-34148 GHSA-gm9m-gwc4-hwgp		1.9.6 Affected by 0 other vulnerabilities. 1.10.5 Affected by 0 other vulnerabilities. 2.0.8 Affected by 0 other vulnerabilities. 2.1.1 Affected by 0 other vulnerabilities.
VCID-kk9d-fywk-xubw Aliases: CVE-2025-68475 GHSA-rchf-xwx2-hm93	Fedify has ReDoS Vulnerability in HTML Parsing Regex A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service. \| Field \| Value \| \|-------\|-------\| \| CWE \| CWE-1333 (Inefficient Regular Expression Complexity) \| ---	1.6.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.7.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.8.15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.9.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-z928-5cf7-vkeg Aliases: CVE-2025-54888 GHSA-6jcc-xgcr-q3h4		1.3.20 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.4.13 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.5.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.6.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.7.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.8.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.9.0-dev.1328 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-k66d-t856-nqga
Aliases:
CVE-2026-34148
GHSA-gm9m-gwc4-hwgp

1.9.6
Affected by 0 other vulnerabilities.

1.10.5
Affected by 0 other vulnerabilities.

2.0.8
Affected by 0 other vulnerabilities.

2.1.1
Affected by 0 other vulnerabilities.

VCID-kk9d-fywk-xubw
Aliases:
CVE-2025-68475
GHSA-rchf-xwx2-hm93

Fedify has ReDoS Vulnerability in HTML Parsing Regex A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. **An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service.** | Field | Value | |-------|-------| | **CWE** | CWE-1333 (Inefficient Regular Expression Complexity) | ---

1.6.13
Affected by 1 other vulnerability.

1.7.14
Affected by 1 other vulnerability.

1.8.15
Affected by 1 other vulnerability.

1.9.2
Affected by 1 other vulnerability.

VCID-z928-5cf7-vkeg
Aliases:
CVE-2025-54888
GHSA-6jcc-xgcr-q3h4

1.3.20
Affected by 2 other vulnerabilities.

1.4.13
Affected by 2 other vulnerabilities.

1.5.5
Affected by 2 other vulnerabilities.

1.6.8
Affected by 2 other vulnerabilities.

1.7.9
Affected by 2 other vulnerabilities.

1.8.5
Affected by 2 other vulnerabilities.

1.9.0-dev.1328
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-t1jw-ybzt-17ac		CVE-2024-39687 GHSA-p9cg-vqcc-grcx

Vulnerability

Summary

Aliases

VCID-t1jw-ybzt-17ac

CVE-2024-39687
GHSA-p9cg-vqcc-grcx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:35:16.210354+00:00	GitLab Importer	Affected by	VCID-k66d-t856-nqga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2026-34148.yml	38.6.0
2026-06-01T09:19:08.831281+00:00	GitLab Importer	Affected by	VCID-kk9d-fywk-xubw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-68475.yml	38.6.0
2026-06-01T08:47:31.503024+00:00	GitLab Importer	Affected by	VCID-z928-5cf7-vkeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-54888.yml	38.6.0
2026-05-31T19:19:06.539085+00:00	GitLab Importer	Fixing	VCID-t1jw-ybzt-17ac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2024-39687.yml	38.6.0
2026-05-31T10:49:20.105137+00:00	GithubOSV Importer	Fixing	VCID-t1jw-ybzt-17ac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-p9cg-vqcc-grcx/GHSA-p9cg-vqcc-grcx.json	38.6.0
2026-05-31T01:04:08.664544+00:00	GHSA Importer	Fixing	VCID-t1jw-ybzt-17ac	https://github.com/advisories/GHSA-p9cg-vqcc-grcx	38.6.0