{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34148", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T20:12:04.195Z", "datePublished": "2026-04-06T15:06:53.197Z", "dateUpdated": "2026-04-07T14:25:51.368Z"}, "containers": {"cna": {"title": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"}, {"name": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"}, {"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"}, {"name": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"}, {"name": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"}], "affected": [{"vendor": "@fedify", "product": "fedify", "versions": [{"version": "< 1.9.6", "status": "affected"}, {"version": ">= 1.10.0, < 1.10.5", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.8", "status": "affected"}, {"version": ">= 2.1.0, < 2.1.1", "status": "affected"}]}, {"vendor": "@fedify", "product": "vocab-runtime", "versions": [{"version": "< 2.0.8", "status": "affected"}, {"version": ">= 2.1.0, < 2.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:25:51.368Z"}, "descriptions": [{"lang": "en", "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1."}], "source": {"advisory": "GHSA-gm9m-gwc4-hwgp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:35:17.193226Z", "id": "CVE-2026-34148", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:35:21.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34148", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:35:17.193226Z"}}}], "references": [{"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:35:07.905Z"}}], "cna": {"title": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution", "source": {"advisory": "GHSA-gm9m-gwc4-hwgp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "@fedify", "product": "fedify", "versions": [{"status": "affected", "version": "< 1.9.6"}, {"status": "affected", "version": ">= 1.10.0, < 1.10.5"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.8"}, {"status": "affected", "version": ">= 2.1.0, < 2.1.1"}]}, {"vendor": "@fedify", "product": "vocab-runtime", "versions": [{"status": "affected", "version": "< 2.0.8"}, {"status": "affected", "version": ">= 2.1.0, < 2.1.1"}]}], "references": [{"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp", "name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5", "name": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6", "name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8", "name": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1", "name": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:25:51.368Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34148", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:25:51.368Z", "dateReserved": "2026-03-25T20:12:04.195Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:06:53.197Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedify:fedify\\/fedify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ECF8706E-2E6C-4A6A-8F8C-DE9933F39224", "versionEndExcluding": "1.9.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedify:fedify\\/fedify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BF4917D5-C6AA-45E3-B5F6-B3DCEF460212", "versionEndExcluding": "1.10.5", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedify:fedify\\/fedify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DD7D6EB1-0E97-43AE-9412-FA558F8FFA6B", "versionEndExcluding": "2.0.8", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedify:fedify\\/fedify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0613E25B-2982-4E31-A7FB-5FF0F10FA724", "versionEndExcluding": "2.1.1", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedify:fedify\\/vocab-runtime:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C298320F-CF10-4C9F-B8B5-F96ACDBFA963", "versionEndExcluding": "2.0.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedify:fedify\\/vocab-runtime:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B6CC76BF-8504-4630-832A-F5EA09191546", "versionEndExcluding": "2.1.1", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1."}], "id": "CVE-2026-34148", "lastModified": "2026-04-25T18:03:02.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:34.387", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.10.0,1.10.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "fedify", "vendor": "fedify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "vocab-runtime", "source": "cna", "vendor": "@fedify"}, "product": "vocab-runtime", "vendor": "fedify"}], "analysis": {"en": {"generated_at": "2026-04-14T03:24:53.651817+00:00", "value": {"mitigation_remediation": ["Upgrade @fedify/fedify to at least 1.9.6, 1.10.5, 2.0.8, or 2.1.1;", "Upgrade @fedify/vocab-runtime to at least 2.0.8 or 2.1.1;", "If upgrading is not yet possible, limit outbound HTTP requests from the server or configure the feed loader to enforce a redirect limit for remote documents;", "Monitor server logs for abnormal outbound traffic and consider isolating external request handling;"], "summary": {"action": "Immediate Patch", "impact": "Resource Exhaustion leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "All versions of the @fedify/fedify library released before 1.9.6, 1.10.5, 2.0.8, and 2.1.1 are vulnerable. The accompanying @fedify/vocab-runtime component is affected in versions prior to 2.0.8 and 2.1.1, with the 2.1.0 release also enumerated as vulnerable. The issue is fixed in the cited releases of both packages.", "description_and_impact": "Fedify, a TypeScript library used to build federated ActivityPub servers, follows HTTP redirects when loading remote keys or documents without limiting the number of redirects or detecting loops. An attacker who can control a remote ActivityPub key or actor URL can inject a redirect chain that causes the server to repeatedly request external resources. This diverted network traffic depletes system resources and can result in denial of service. The weakness falls under unbounded resource consumption (CWE\u2011400) and lack of resource limits (CWE\u2011770).", "risk_and_exploitability": "The CVSS base score is 7.5, indicating high severity. The EPSS score is below 1%, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, if an attacker can supply a malicious key or actor URL that the server resolves, they can execute the vulnerability by directing the server to follow an endless redirect chain, consuming CPU, memory, and network I/O. The attack requires remote control of a referenced ActivityPub resource and can be launched from a single inbound request to the vulnerable server."}}}}, "created": "2026-04-06T20:14:15.327071+00:00", "updated": "2026-04-14T16:41:16.149611+00:00", "vendors": ["fedify", "fedify$PRODUCT$fedify", "fedify$PRODUCT$vocab-runtime"]}