Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Published: 2026-06-10
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fedify, a TypeScript library for federated server apps, implements Linked Data (LD) Signatures to ensure the authenticity of JSON-LD documents. An attacker can exploit the library’s handling of JSON-LD named-graph restructuring to create a document that is structurally different yet still validates against the original LD signature. This lets the attacker modify a third‑party signed activity that a Fedify‑powered server receives, effectively altering the content of a message that should be immutable. The vulnerability is an integrity violation that undermines trust in federated communication and is mapped to weaknesses such as improper data transfer, improper JSON handling, deserialization issues, and insufficient data validation.

Affected Systems

The affected product is the Fedify library from fedify-dev. Versions before 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 are vulnerable. Each of these releases was patched in the listed corrective versions.

Risk and Exploitability

The CVSS score of 7 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploitation yet. Nevertheless, the attack vector is expected to be a crafted ActivityPub activity sent over the network to a Fedify‑powered server. If the compromised system accepts the activity, an adversary can inject or modify data that would otherwise be considered trustworthy.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fedify to a patched release (1.9.11, 1.10.10, 2.0.18, 2.1.14, or 2.2.3 or newer).
  • Ensure that all incoming JSON-LD documents are strictly validated against the library’s LD signature algorithm, rejecting any that cannot be verified.
  • Implement schema or whitelist validation for JSON-LD named‑graph structures to prevent restructuring that could bypass signature checks.

Generated by OpenCVE AI on June 10, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rfg-v8g9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fedify
Fedify fedify
Vendors & Products Fedify
Fedify fedify

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Title Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Weaknesses CWE-1289
CWE-180
CWE-347
CWE-436
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T13:34:03.443Z

Reserved: 2026-04-27T13:55:58.694Z

Link: CVE-2026-42462

cve-icon Vulnrichment

Updated: 2026-06-11T13:34:00.241Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T22:16:57.387

Modified: 2026-06-11T15:34:28.757

Link: CVE-2026-42462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input

  • CWE-180

    Incorrect Behavior Order: Validate Before Canonicalize

  • CWE-347

    Improper Verification of Cryptographic Signature

  • CWE-436

    Interpretation Conflict