VulnerableCode Package Details - pkg:npm/%40fedify/fedify@1.8.1-dev.1237

Search for packages

Vulnerability	Summary	Fixed by
VCID-tbxv-mta3-ykh5 Aliases: CVE-2025-54888 GHSA-6jcc-xgcr-q3h4	Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.	1.8.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.9.0-dev.1328 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-v7pd-aym8-ykdg Aliases: CVE-2025-68475 GHSA-rchf-xwx2-hm93	Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.	1.8.15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.9.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-yfms-12uu-a7hy Aliases: CVE-2026-34148 GHSA-gm9m-gwc4-hwgp	Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.	1.9.6 Affected by 0 other vulnerabilities. 1.10.5 Affected by 0 other vulnerabilities. 2.0.8 Affected by 0 other vulnerabilities. 2.1.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tbxv-mta3-ykh5
Aliases:
CVE-2025-54888
GHSA-6jcc-xgcr-q3h4

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.

1.8.5
Affected by 2 other vulnerabilities.

1.9.0-dev.1328
Affected by 1 other vulnerability.

VCID-v7pd-aym8-ykdg
Aliases:
CVE-2025-68475
GHSA-rchf-xwx2-hm93

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

1.8.15
Affected by 1 other vulnerability.

1.9.2
Affected by 1 other vulnerability.

VCID-yfms-12uu-a7hy
Aliases:
CVE-2026-34148
GHSA-gm9m-gwc4-hwgp

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

1.9.6
Affected by 0 other vulnerabilities.

1.10.5
Affected by 0 other vulnerabilities.

2.0.8
Affected by 0 other vulnerabilities.

2.1.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:55:17.292379+00:00	GitLab Importer	Affected by	VCID-yfms-12uu-a7hy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2026-34148.yml	38.6.0
2026-06-12T20:42:00.719130+00:00	GitLab Importer	Affected by	VCID-v7pd-aym8-ykdg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-68475.yml	38.6.0
2026-06-12T20:08:53.671542+00:00	GitLab Importer	Affected by	VCID-tbxv-mta3-ykh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@fedify/fedify/CVE-2025-54888.yml	38.6.0