Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

INFO

Published Date :

2025-12-22T21:31:20.314Z

Last Modified :

2025-12-22T21:54:45.635Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68475 vulnerability.

Vendors Products
Fedify
  • Fedify
Fedify Project
  • Fedify
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68475.

URL Resource
https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779 cve-icon cve-icon
https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/1.6.13 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/1.7.14 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/1.8.15 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/1.9.2 cve-icon cve-icon
https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact