Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Published: 2026-04-06
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Patch Now
AI Analysis

Impact

Fedify, a TypeScript library for building federated server applications, contains a resource exhaustion flaw. The library follows HTTP redirects recursively when resolving remote ActivityPub keys or documents without imposing a limit or cycle detection. An attacker who supplies a malicious key or actor URL can trigger an infinite redirect chain. The library will then perform repeated outbound HTTP requests for each hop, consuming network and server resources, potentially leading to denial of service for the application.

Affected Systems

The issue affects all Fedify versions before 1.9.6 for the core library, before 1.10.5, before 2.0.8, and before 2.1.1. Projects that depend on @fedify/fedify or @fedify/vocab-runtime and that load remote keys or documents are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No exploit probability data is available, and the flaw is not listed in CISA’s KEV catalog. Because the vulnerability relies on untrusted HTTP redirects, a remote attacker with control over the URL being resolved can trigger the attack without needing local privileges. The impact remains limited to the server running Fedify, but repeated outbound traffic can exhaust bandwidth or processing capacity, resulting in service interruption.

Generated by OpenCVE AI on April 6, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fedify library to version 1.9.6, 1.10.5, 2.0.8, or 2.1.1 depending on the project.
  • Verify that the upgraded library version is in use by inspecting package.json and running a version check.
  • If an upgrade is not feasible, consider disabling automatic redirect following or restricting remote document loading in the application’s configuration.
  • Continuously monitor outbound network activity for abnormal patterns that could indicate exploitation.

Generated by OpenCVE AI on April 6, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Fedify
Fedify fedify
Fedify vocab-runtime
Vendors & Products Fedify
Fedify fedify
Fedify vocab-runtime

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Title Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Fedify Fedify Vocab-runtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:35:21.840Z

Reserved: 2026-03-25T20:12:04.195Z

Link: CVE-2026-34148

cve-icon Vulnrichment

Updated: 2026-04-06T15:35:07.905Z

cve-icon NVD

Status : Received

Published: 2026-04-06T16:16:34.387

Modified: 2026-04-06T16:16:34.387

Link: CVE-2026-34148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:28Z

Weaknesses