Search
Find a vulnerability
Search criteria
6 vulnerabilities by fedify
CVE-2026-34148 (GCVE-0-2026-34148)
Vulnerability from nvd – Published: 2026-04-06 15:06 – Updated: 2026-04-07 14:25
VLAI
Title
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/1.9.6 | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/2.0.8 | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/2.1.1 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| @fedify | fedify |
Affected:
< 1.9.6
Affected: >= 1.10.0, < 1.10.5 Affected: >= 2.0.0, < 2.0.8 Affected: >= 2.1.0, < 2.1.1 |
|
| @fedify | vocab-runtime |
Affected:
< 2.0.8
Affected: >= 2.1.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:35:17.193226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:35:21.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "@fedify",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.6"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.5"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.8"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.1"
}
]
},
{
"product": "vocab-runtime",
"vendor": "@fedify",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.8"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:25:51.368Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"
}
],
"source": {
"advisory": "GHSA-gm9m-gwc4-hwgp",
"discovery": "UNKNOWN"
},
"title": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34148",
"datePublished": "2026-04-06T15:06:53.197Z",
"dateReserved": "2026-03-25T20:12:04.195Z",
"dateUpdated": "2026-04-07T14:25:51.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25808 (GCVE-0-2026-25808)
Vulnerability from nvd – Published: 2026-02-09 21:50 – Updated: 2026-02-10 21:23
VLAI
Title
Hollo DMs get leaked and can be seen on Webfinger Browser
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/hollo/security/advi… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/hollo/commit/329969… | x_refsource_MISC |
| https://github.com/fedify-dev/hollo/releases/tag/0.6.20 | x_refsource_MISC |
| https://github.com/fedify-dev/hollo/releases/tag/0.7.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | hollo |
Affected:
< 0.6.20, 0.7.2
Affected: >= 7.0.0, < 0.7.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T21:23:28.921772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T21:23:34.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hollo",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.20, 0.7.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 0.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T21:50:10.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5"
},
{
"name": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2"
}
],
"source": {
"advisory": "GHSA-6r2w-3pcj-v4v5",
"discovery": "UNKNOWN"
},
"title": "Hollo DMs get leaked and can be seen on Webfinger Browser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25808",
"datePublished": "2026-02-09T21:50:10.579Z",
"dateReserved": "2026-02-05T19:58:01.642Z",
"dateUpdated": "2026-02-10T21:23:34.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68475 (GCVE-0-2025-68475)
Vulnerability from nvd – Published: 2025-12-22 21:31 – Updated: 2025-12-22 21:54
VLAI
Title
Fedify has ReDoS Vulnerability in HTML Parsing Regex
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/commit/2bdcb… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/commit/bf2f0… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/1.9.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | fedify |
Affected:
< 1.6.13
Affected: >= 1.7.0, < 1.7.14 Affected: >= 1.8.0, < 1.8.15 Affected: >= 1.9.0, < 1.9.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-22T21:54:29.525857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:54:45.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.13"
},
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.7.14"
},
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.8.15"
},
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:31:20.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
}
],
"source": {
"advisory": "GHSA-rchf-xwx2-hm93",
"discovery": "UNKNOWN"
},
"title": "Fedify has ReDoS Vulnerability in HTML Parsing Regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68475",
"datePublished": "2025-12-22T21:31:20.314Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-22T21:54:45.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34148 (GCVE-0-2026-34148)
Vulnerability from cvelistv5 – Published: 2026-04-06 15:06 – Updated: 2026-04-07 14:25
VLAI
Title
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/1.9.6 | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/2.0.8 | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/2.1.1 | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| @fedify | fedify |
Affected:
< 1.9.6
Affected: >= 1.10.0, < 1.10.5 Affected: >= 2.0.0, < 2.0.8 Affected: >= 2.1.0, < 2.1.1 |
|
| @fedify | vocab-runtime |
Affected:
< 2.0.8
Affected: >= 2.1.0, < 2.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:35:17.193226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:35:21.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "@fedify",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.6"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.5"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.8"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.1"
}
]
},
{
"product": "vocab-runtime",
"vendor": "@fedify",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.8"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:25:51.368Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"
}
],
"source": {
"advisory": "GHSA-gm9m-gwc4-hwgp",
"discovery": "UNKNOWN"
},
"title": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34148",
"datePublished": "2026-04-06T15:06:53.197Z",
"dateReserved": "2026-03-25T20:12:04.195Z",
"dateUpdated": "2026-04-07T14:25:51.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25808 (GCVE-0-2026-25808)
Vulnerability from cvelistv5 – Published: 2026-02-09 21:50 – Updated: 2026-02-10 21:23
VLAI
Title
Hollo DMs get leaked and can be seen on Webfinger Browser
Summary
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/hollo/security/advi… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/hollo/commit/329969… | x_refsource_MISC |
| https://github.com/fedify-dev/hollo/releases/tag/0.6.20 | x_refsource_MISC |
| https://github.com/fedify-dev/hollo/releases/tag/0.7.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | hollo |
Affected:
< 0.6.20, 0.7.2
Affected: >= 7.0.0, < 0.7.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T21:23:28.921772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T21:23:34.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hollo",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.20, 0.7.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 0.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T21:50:10.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5"
},
{
"name": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20"
},
{
"name": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2"
}
],
"source": {
"advisory": "GHSA-6r2w-3pcj-v4v5",
"discovery": "UNKNOWN"
},
"title": "Hollo DMs get leaked and can be seen on Webfinger Browser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25808",
"datePublished": "2026-02-09T21:50:10.579Z",
"dateReserved": "2026-02-05T19:58:01.642Z",
"dateUpdated": "2026-02-10T21:23:34.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68475 (GCVE-0-2025-68475)
Vulnerability from cvelistv5 – Published: 2025-12-22 21:31 – Updated: 2025-12-22 21:54
VLAI
Title
Fedify has ReDoS Vulnerability in HTML Parsing Regex
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/commit/2bdcb… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/commit/bf2f0… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/1.9.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | fedify |
Affected:
< 1.6.13
Affected: >= 1.7.0, < 1.7.14 Affected: >= 1.8.0, < 1.8.15 Affected: >= 1.9.0, < 1.9.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-22T21:54:29.525857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:54:45.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.13"
},
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.7.14"
},
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.8.15"
},
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:31:20.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
}
],
"source": {
"advisory": "GHSA-rchf-xwx2-hm93",
"discovery": "UNKNOWN"
},
"title": "Fedify has ReDoS Vulnerability in HTML Parsing Regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68475",
"datePublished": "2025-12-22T21:31:20.314Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-22T21:54:45.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}