VYPR

npm package

@fedify/fedify

pkg:npm/%40fedify/fedify

Vulnerabilities (6)

  • CVE-2026-42462HigJun 10, 2026
    affected >= 2.2.0, < 2.2.3fixed 2.2.3

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it withou

  • CVE-2026-34148HigApr 6, 2026
    affected < 1.9.6fixed 1.9.6

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redire

  • CVE-2025-68475Dec 22, 2025
    affected < 1.6.13fixed 1.6.13

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedif

  • CVE-2025-54888HigAug 9, 2025
    affected < 1.3.20fixed 1.3.20

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentic

  • CVE-2025-23221MedJan 20, 2025
    affected >= 1.0.13, < 1.0.14fixed 1.0.14

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of pr

  • CVE-2024-39687HigJul 5, 2024
    affected < 0.9.2fixed 0.9.2

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within t