プラットフォーム
nodejs
コンポーネント
@fedify/fedify
修正版
1.9.7
1.10.1
2.0.1
2.1.1
2.0.9
2.1.1
1.9.6
CVE-2026-34148 is a denial-of-service (DoS) vulnerability affecting the @fedify/fedify Node.js package. The vulnerability arises from the package's recursive HTTP redirect handling during remote document loading, which lacks proper loop detection. An attacker can exploit this to trigger excessive outbound requests, potentially overwhelming the server and causing a DoS.
This vulnerability allows an attacker who controls a remote ActivityPub key or actor URL to induce a denial-of-service condition. By crafting a malicious URL with multiple redirects, the attacker can force the Fedify server to make numerous outbound requests in response to a single inbound request. This rapid sequence of requests can consume significant server resources, including CPU, memory, and network bandwidth, leading to performance degradation or complete service unavailability. The blast radius extends to any service relying on @fedify/fedify for ActivityPub verification, potentially impacting multiple users or downstream systems.
This CVE was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Applications and services built using the @fedify/fedify Node.js package for ActivityPub verification are at risk. This includes Mastodon instances, decentralized social media platforms, and any system integrating ActivityPub functionality. Specifically, deployments relying on older versions of @fedify/fedify are most vulnerable.
• nodejs / server:
npm list @fedify/fedify• nodejs / server:
npm audit @fedify/fedify• nodejs / server: Check application logs for excessive outbound HTTP requests originating from ActivityPub verification processes. Look for patterns indicating repeated requests to the same or similar URLs. • nodejs / server: Monitor CPU and memory usage on the server. A sudden spike in resource consumption during ActivityPub verification could indicate exploitation.
disclosure
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to version 1.9.6 or later of the @fedify/fedify package. This version includes fixes to prevent the uncontrolled recursive redirect behavior. If upgrading is not immediately feasible, consider implementing a redirect limiting mechanism within your application. This could involve setting a maximum redirect count or implementing a visited-URL loop detection strategy to prevent excessive outbound requests. Additionally, configure your web server or proxy to limit the number of outbound requests per connection to mitigate the impact of a potential exploit.
Actualice la biblioteca fedify a la versión 1.9.6 o superior, 1.10.5 o superior, 2.0.8 o superior o 2.1.1 o superior para mitigar el riesgo de agotamiento de recursos y denegación de servicio debido a redirecciones ilimitadas.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34148 is a denial-of-service vulnerability in the @fedify/fedify Node.js package, allowing attackers to trigger excessive outbound requests via recursive HTTP redirects.
You are affected if you are using a version of @fedify/fedify prior to 1.9.6 and are exposed to external ActivityPub URLs.
Upgrade to version 1.9.6 or later of @fedify/fedify. As a temporary workaround, implement redirect limiting within your application.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the @fedify/fedify project's repository and release notes for the official advisory and details on the fix.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。