Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Published: 2026-06-10
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fedify, a TypeScript library for federated server apps, implements Linked Data (LD) Signatures to ensure the authenticity of JSON-LD documents. An attacker can exploit the library’s handling of JSON-LD named-graph restructuring to create a document that is structurally different yet still validates against the original LD signature. This lets the attacker modify a third‑party signed activity that a Fedify‑powered server receives, effectively altering the content of a message that should be immutable. The vulnerability is an integrity violation that undermines trust in federated communication and is mapped to weaknesses such as improper data transfer, improper JSON handling, deserialization issues, and insufficient data validation.

Affected Systems

The affected product is the Fedify library from fedify-dev. Versions before 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 are vulnerable. Each of these releases was patched in the listed corrective versions.

Risk and Exploitability

The CVSS score of 7 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploitation yet. Nevertheless, the attack vector is expected to be a crafted ActivityPub activity sent over the network to a Fedify‑powered server. If the compromised system accepts the activity, an adversary can inject or modify data that would otherwise be considered trustworthy.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fedify to a patched release (1.9.11, 1.10.10, 2.0.18, 2.1.14, or 2.2.3 or newer).
  • Ensure that all incoming JSON-LD documents are strictly validated against the library’s LD signature algorithm, rejecting any that cannot be verified.
  • Implement schema or whitelist validation for JSON-LD named‑graph structures to prevent restructuring that could bypass signature checks.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rfg-v8g9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
History

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Title Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Weaknesses CWE-1289
CWE-180
CWE-347
CWE-436
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:22:35.383Z

Reserved: 2026-04-27T13:55:58.694Z

Link: CVE-2026-42462

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:57.387

Modified: 2026-06-10T22:16:57.387

Link: CVE-2026-42462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses