CVE-2026-34148

Summary

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

Affected Software

VendorProductVersion RangeStatus
@fedifyfedify< 1.9.6affected
@fedifyfedify>= 1.10.0, < 1.10.5affected
@fedifyfedify>= 2.0.0, < 2.0.8affected
@fedifyfedify>= 2.1.0, < 2.1.1affected
@fedifyvocab-runtime< 2.0.8affected
@fedifyvocab-runtime>= 2.1.0, < 2.1.1affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption
  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References