cvedb.io
CVE-2026-34148
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-06T16:16:34.387 · Last modified 2026-06-17T10:38:34.750

Summary

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

Affected products

fedify — fedify\/fedify

Does this affect you?

Add your gear to cvedb and we'll alert you only when fedify ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.