CVE-2026-34148
Published: Apr 6, 2026
Modified: Apr 7, 2026
CVSS v3.1
7.5
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
| Vendor | Product | Versions |
|---|---|---|
@fedify | fedify | affected < 1.9.6affected >= 1.10.0, < 1.10.5affected >= 2.0.0, < 2.0.8affected >= 2.1.0, < 2.1.1 |
@fedify | vocab-runtime | affected < 2.0.8affected >= 2.1.0, < 2.1.1 |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now