Platform
nodejs
Component
@fedify/fedify
Opgelost in
1.9.7
1.10.1
2.0.1
2.1.1
2.0.9
2.1.1
1.9.6
CVE-2026-34148 is een denial of service kwetsbaarheid in de @fedify/fedify bibliotheek. Deze kwetsbaarheid ontstaat doordat de bibliotheek HTTP redirects recursief volgt zonder limiet of loopdetectie, waardoor een aanvaller met controle over een ActivityPub URL herhaalde verzoeken kan genereren en zo de server kan overbelasten. De kwetsbaarheid beïnvloedt versies van @fedify/fedify die ouder zijn dan 1.9.6. Een patch is beschikbaar in versie 1.9.6.
This vulnerability allows an attacker who controls a remote ActivityPub key or actor URL to induce a denial-of-service condition. By crafting a malicious URL with multiple redirects, the attacker can force the Fedify server to make numerous outbound requests in response to a single inbound request. This rapid sequence of requests can consume significant server resources, including CPU, memory, and network bandwidth, leading to performance degradation or complete service unavailability. The blast radius extends to any service relying on @fedify/fedify for ActivityPub verification, potentially impacting multiple users or downstream systems.
This CVE was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Applications and services built using the @fedify/fedify Node.js package for ActivityPub verification are at risk. This includes Mastodon instances, decentralized social media platforms, and any system integrating ActivityPub functionality. Specifically, deployments relying on older versions of @fedify/fedify are most vulnerable.
• nodejs / server:
npm list @fedify/fedify• nodejs / server:
npm audit @fedify/fedify• nodejs / server: Check application logs for excessive outbound HTTP requests originating from ActivityPub verification processes. Look for patterns indicating repeated requests to the same or similar URLs. • nodejs / server: Monitor CPU and memory usage on the server. A sudden spike in resource consumption during ActivityPub verification could indicate exploitation.
disclosure
Exploit Status
EPSS
0.06% (18% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to version 1.9.6 or later of the @fedify/fedify package. This version includes fixes to prevent the uncontrolled recursive redirect behavior. If upgrading is not immediately feasible, consider implementing a redirect limiting mechanism within your application. This could involve setting a maximum redirect count or implementing a visited-URL loop detection strategy to prevent excessive outbound requests. Additionally, configure your web server or proxy to limit the number of outbound requests per connection to mitigate the impact of a potential exploit.
Actualice la biblioteca fedify a la versión 1.9.6 o superior, 1.10.5 o superior, 2.0.8 o superior o 2.1.1 o superior para mitigar el riesgo de agotamiento de recursos y denegación de servicio debido a redirecciones ilimitadas.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34148 is a denial-of-service vulnerability in the @fedify/fedify Node.js package, allowing attackers to trigger excessive outbound requests via recursive HTTP redirects.
You are affected if you are using a version of @fedify/fedify prior to 1.9.6 and are exposed to external ActivityPub URLs.
Upgrade to version 1.9.6 or later of @fedify/fedify. As a temporary workaround, implement redirect limiting within your application.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the @fedify/fedify project's repository and release notes for the official advisory and details on the fix.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.