CVE-2026-34148
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fedify/fedifynpm | < 1.9.6 | 1.9.6 |
@fedify/vocab-runtimenpm | < 2.0.8 | 2.0.8 |
@fedify/vocab-runtimenpm | >= 2.1.0, < 2.1.1 | 2.1.1 |
@fedify/fedifynpm | >= 1.10.0, < 1.10.5 | 1.10.5 |
@fedify/fedifynpm | >= 2.0.0, < 2.0.8 | 2.0.8 |
@fedify/fedifynpm | >= 2.1.0, < 2.1.1 | 2.1.1 |
Affected products
2- cpe:2.3:a:fedify:fedify\/vocab-runtime:*:*:*:*:*:node.js:*:*Range: <2.0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgpnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-gm9m-gwc4-hwgpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34148ghsaADVISORY
- github.com/fedify-dev/fedify/releases/tag/1.10.5nvdRelease NotesWEB
- github.com/fedify-dev/fedify/releases/tag/1.9.6nvdRelease NotesWEB
- github.com/fedify-dev/fedify/releases/tag/2.0.8nvdRelease NotesWEB
- github.com/fedify-dev/fedify/releases/tag/2.1.1nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.