Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

INFO

Published Date :

2026-04-06T15:06:53.197Z

Last Modified :

2026-04-07T14:25:51.368Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34148 vulnerability.

Vendors Products
Fedify
  • Fedify
  • Vocab-runtime
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34148.

URL Resource
https://github.com/fedify-dev/fedify/releases/tag/1.10.5 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/1.9.6 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/2.0.8 cve-icon cve-icon
https://github.com/fedify-dev/fedify/releases/tag/2.1.1 cve-icon cve-icon
https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact