EUVD-2026-19295
GHSA-gm9m-gwc4-hwgp
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Analysis
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Fedify and document current versions in use. Within 7 days: Upgrade to patched versions (1.9.6, 1.10.5, 2.0.8, or 2.1.1 depending on your current major version branch). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today