Platform
nodejs
Component
@fedify/fedify
Fixed in
1.9.7
1.10.1
2.0.1
2.1.1
2.0.9
2.1.1
1.9.6
CVE-2026-34148 is a denial-of-service (DoS) vulnerability affecting the @fedify/fedify Node.js package. The vulnerability arises from the package's recursive HTTP redirect handling during remote document loading, which lacks proper loop detection. An attacker can exploit this to trigger excessive outbound requests, potentially overwhelming the server and causing a DoS.
This vulnerability allows an attacker who controls a remote ActivityPub key or actor URL to induce a denial-of-service condition. By crafting a malicious URL with multiple redirects, the attacker can force the Fedify server to make numerous outbound requests in response to a single inbound request. This rapid sequence of requests can consume significant server resources, including CPU, memory, and network bandwidth, leading to performance degradation or complete service unavailability. The blast radius extends to any service relying on @fedify/fedify for ActivityPub verification, potentially impacting multiple users or downstream systems.
This CVE was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 1.9.6 or later of the @fedify/fedify package. This version includes fixes to prevent the uncontrolled recursive redirect behavior. If upgrading is not immediately feasible, consider implementing a redirect limiting mechanism within your application. This could involve setting a maximum redirect count or implementing a visited-URL loop detection strategy to prevent excessive outbound requests. Additionally, configure your web server or proxy to limit the number of outbound requests per connection to mitigate the impact of a potential exploit.
Update the fedify library to version 1.9.6 or higher, 1.10.5 or higher, 2.0.8 or higher, or 2.1.1 or higher to mitigate the risk of resource exhaustion and denial of service due to unbounded redirects.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34148 is a denial-of-service vulnerability in the @fedify/fedify Node.js package, allowing attackers to trigger excessive outbound requests via recursive HTTP redirects.
You are affected if you are using a version of @fedify/fedify prior to 1.9.6 and are exposed to external ActivityPub URLs.
Upgrade to version 1.9.6 or later of @fedify/fedify. As a temporary workaround, implement redirect limiting within your application.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the @fedify/fedify project's repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.