Plateforme
nodejs
Composant
@fedify/fedify
Corrigé dans
1.9.7
1.10.1
2.0.1
2.1.1
2.0.9
2.1.1
1.9.6
La vulnérabilité CVE-2026-34148 affecte la bibliothèque @fedify/fedify en raison d'un suivi récursif des redirections HTTP sans limite ni détection de boucle. Cette faille permet à un attaquant contrôlant une URL ActivityPub de provoquer une consommation excessive de ressources sur le serveur Fedify, résultant en un déni de service. Les versions concernées sont celles antérieures à 1.9.6, et une correction est disponible.
This vulnerability allows an attacker who controls a remote ActivityPub key or actor URL to induce a denial-of-service condition. By crafting a malicious URL with multiple redirects, the attacker can force the Fedify server to make numerous outbound requests in response to a single inbound request. This rapid sequence of requests can consume significant server resources, including CPU, memory, and network bandwidth, leading to performance degradation or complete service unavailability. The blast radius extends to any service relying on @fedify/fedify for ActivityPub verification, potentially impacting multiple users or downstream systems.
This CVE was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Applications and services built using the @fedify/fedify Node.js package for ActivityPub verification are at risk. This includes Mastodon instances, decentralized social media platforms, and any system integrating ActivityPub functionality. Specifically, deployments relying on older versions of @fedify/fedify are most vulnerable.
• nodejs / server:
npm list @fedify/fedify• nodejs / server:
npm audit @fedify/fedify• nodejs / server: Check application logs for excessive outbound HTTP requests originating from ActivityPub verification processes. Look for patterns indicating repeated requests to the same or similar URLs. • nodejs / server: Monitor CPU and memory usage on the server. A sudden spike in resource consumption during ActivityPub verification could indicate exploitation.
disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to version 1.9.6 or later of the @fedify/fedify package. This version includes fixes to prevent the uncontrolled recursive redirect behavior. If upgrading is not immediately feasible, consider implementing a redirect limiting mechanism within your application. This could involve setting a maximum redirect count or implementing a visited-URL loop detection strategy to prevent excessive outbound requests. Additionally, configure your web server or proxy to limit the number of outbound requests per connection to mitigate the impact of a potential exploit.
Actualice la biblioteca fedify a la versión 1.9.6 o superior, 1.10.5 o superior, 2.0.8 o superior o 2.1.1 o superior para mitigar el riesgo de agotamiento de recursos y denegación de servicio debido a redirecciones ilimitadas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34148 is a denial-of-service vulnerability in the @fedify/fedify Node.js package, allowing attackers to trigger excessive outbound requests via recursive HTTP redirects.
You are affected if you are using a version of @fedify/fedify prior to 1.9.6 and are exposed to external ActivityPub URLs.
Upgrade to version 1.9.6 or later of @fedify/fedify. As a temporary workaround, implement redirect limiting within your application.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the @fedify/fedify project's repository and release notes for the official advisory and details on the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.