CVE-2026-34148

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 07, 2026

CWE ID

CWE-400

Source

NVD

Vendor

@fedify

Product

fedify, vocab-runtime

External References

https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp
https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp

CVE-2026-34148

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment