How to fix CVE-2025-68475?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Is Fedify affected by CVE-2025-68475?

Organizations using Fedify face notable risk from CVE-2025-68475 rated CVSS 7.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2025-68475

HIGH

2025-12-22 [email protected]

GHSA-rchf-xwx2-hm93

Denial Of Service Fedify

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch Released

Mar 17, 2026 - 20:45 nvd

Patch available

PoC Detected

Mar 17, 2026 - 19:39 vuln.today

Public exploit code

CVE Published

Dec 22, 2025 - 22:16 nvd

HIGH 7.5

DescriptionNVD

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

AnalysisAI

A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify, a TypeScript library for building ActivityPub federated servers, where maliciously crafted HTML responses can cause catastrophic backtracking in the document loader's HTML parsing regex. The vulnerability affects versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2, allowing remote attackers to cause denial of service without authentication. A public proof-of-concept exploit is available, though the EPSS score of 0.13% indicates relatively low exploitation likelihood in the wild.

Technical ContextAI

Fedify is a TypeScript library that enables developers to build federated server applications using the ActivityPub protocol, which powers decentralized social networks like Mastodon. The vulnerability stems from CWE-1333 (Inefficient Regular Expression Complexity) in the document loader component at packages/fedify/src/runtime/docloader.ts:259, where nested quantifiers in a regex pattern used for HTML parsing create exponential time complexity when processing specially crafted input. The affected products are identified through CPE as cpe:2.3:a:fedify:fedify:*:*:*:*:*:*:*:* for all vulnerable version ranges, specifically impacting applications that use Fedify's document loading functionality to process external HTML content.

RemediationAI

Upgrade Fedify to the patched versions based on your current branch: 1.6.13 for 1.6.x users, 1.7.14 for 1.7.x users, 1.8.15 for 1.8.x users, or 1.9.2 for 1.9.x users, with patches available at https://github.com/fedify-dev/fedify/releases/. The fixes are implemented in commits 2bdcb24d7d6d5886e0214ed504b63a6dc5488779 and bf2f0783634efed2663d1b187dc55461ee1f987a which address the regex complexity issue. As a temporary mitigation before patching, consider implementing request timeouts and rate limiting on endpoints that process external HTML content through Fedify's document loader, though upgrading remains the recommended solution.

CVE-2025-68475 vulnerability details – vuln.today

Back

CVE-2025-68475

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code