VYPR
High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 25, 2026

CVE-2026-34148

CVE-2026-34148

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@fedify/fedifynpm
< 1.9.61.9.6
@fedify/vocab-runtimenpm
< 2.0.82.0.8
@fedify/vocab-runtimenpm
>= 2.1.0, < 2.1.12.1.1
@fedify/fedifynpm
>= 1.10.0, < 1.10.51.10.5
@fedify/fedifynpm
>= 2.0.0, < 2.0.82.0.8
@fedify/fedifynpm
>= 2.1.0, < 2.1.12.1.1

Affected products

4

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.