Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Published: 2026-04-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion leading to Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Fedify, a TypeScript library used to build federated ActivityPub servers, follows HTTP redirects when loading remote keys or documents without limiting the number of redirects or detecting loops. An attacker who can control a remote ActivityPub key or actor URL can inject a redirect chain that causes the server to repeatedly request external resources. This diverted network traffic depletes system resources and can result in denial of service. The weakness falls under unbounded resource consumption (CWE‑400) and lack of resource limits (CWE‑770).

Affected Systems

All versions of the @fedify/fedify library released before 1.9.6, 1.10.5, 2.0.8, and 2.1.1 are vulnerable. The accompanying @fedify/vocab-runtime component is affected in versions prior to 2.0.8 and 2.1.1, with the 2.1.0 release also enumerated as vulnerable. The issue is fixed in the cited releases of both packages.

Risk and Exploitability

The CVSS base score is 7.5, indicating high severity. The EPSS score is below 1%, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, if an attacker can supply a malicious key or actor URL that the server resolves, they can execute the vulnerability by directing the server to follow an endless redirect chain, consuming CPU, memory, and network I/O. The attack requires remote control of a referenced ActivityPub resource and can be launched from a single inbound request to the vulnerable server.

Generated by OpenCVE AI on April 14, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @fedify/fedify to at least 1.9.6, 1.10.5, 2.0.8, or 2.1.1;
  • Upgrade @fedify/vocab-runtime to at least 2.0.8 or 2.1.1;
  • If upgrading is not yet possible, limit outbound HTTP requests from the server or configure the feed loader to enforce a redirect limit for remote documents;
  • Monitor server logs for abnormal outbound traffic and consider isolating external request handling;

Generated by OpenCVE AI on April 14, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gm9m-gwc4-hwgp Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
History

Sat, 25 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Fedify fedify\/fedify
Fedify fedify\/vocab-runtime
CPEs cpe:2.3:a:fedify:fedify:*:*:*:*:*:*:*:*
cpe:2.3:a:fedify:vocab-runtime:*:*:*:*:*:*:*:*
cpe:2.3:a:fedify:vocab-runtime:2.1.0:*:*:*:*:*:*:*		 cpe:2.3:a:fedify:fedify\/fedify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fedify:fedify\/vocab-runtime:*:*:*:*:*:node.js:*:*
Vendors & Products Fedify fedify\/fedify
Fedify fedify\/vocab-runtime

Tue, 14 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fedify:fedify:*:*:*:*:*:*:*:*
cpe:2.3:a:fedify:vocab-runtime:*:*:*:*:*:*:*:*
cpe:2.3:a:fedify:vocab-runtime:2.1.0:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Fedify
Fedify fedify
Fedify vocab-runtime
Vendors & Products Fedify
Fedify fedify
Fedify vocab-runtime

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Title Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Fedify Fedify Fedify\/fedify Fedify\/vocab-runtime Vocab-runtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:25:51.368Z

Reserved: 2026-03-25T20:12:04.195Z

Link: CVE-2026-34148

cve-icon Vulnrichment

Updated: 2026-04-06T15:35:07.905Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:34.387

Modified: 2026-04-25T18:03:02.780

Link: CVE-2026-34148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:16Z

Weaknesses