CVE-2026-34148: CWE-400: Uncontrolled Resource Consumption in @fedify fedify
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
AI Analysis
Technical Summary
The @fedify/fedify library versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1 contain a CWE-400 uncontrolled resource consumption vulnerability due to recursive HTTP redirects in the remote and authenticated document loaders. The library does not enforce a maximum redirect count or detect redirect loops, allowing an attacker who controls a remote ActivityPub key or actor URL to trigger repeated outbound requests from a single inbound request. This can lead to denial of service by exhausting server resources. The issue affects multiple version ranges and has been fixed in the specified patched versions.
Potential Impact
An attacker can cause a denial of service condition by forcing the vulnerable server to make excessive outbound HTTP requests through recursive redirects. This impacts the availability of the affected system but does not affect confidentiality or integrity. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade @fedify/fedify to version 1.9.6, 1.10.5, 2.0.8, or 2.1.1 or later, where this vulnerability is fixed. Patch status is not explicitly stated in a vendor advisory but fixed versions are clearly identified. No other mitigation or temporary workaround is documented.
CVE-2026-34148: CWE-400: Uncontrolled Resource Consumption in @fedify fedify
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @fedify/fedify library versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1 contain a CWE-400 uncontrolled resource consumption vulnerability due to recursive HTTP redirects in the remote and authenticated document loaders. The library does not enforce a maximum redirect count or detect redirect loops, allowing an attacker who controls a remote ActivityPub key or actor URL to trigger repeated outbound requests from a single inbound request. This can lead to denial of service by exhausting server resources. The issue affects multiple version ranges and has been fixed in the specified patched versions.
Potential Impact
An attacker can cause a denial of service condition by forcing the vulnerable server to make excessive outbound HTTP requests through recursive redirects. This impacts the availability of the affected system but does not affect confidentiality or integrity. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade @fedify/fedify to version 1.9.6, 1.10.5, 2.0.8, or 2.1.1 or later, where this vulnerability is fixed. Patch status is not explicitly stated in a vendor advisory but fixed versions are clearly identified. No other mitigation or temporary workaround is documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T20:12:04.195Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.00058
- Epss Percentile
- 0.18049
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69d3d1a00a160ebd92c130d0
Added to database: 4/6/2026, 3:30:40 PM
Last enriched: 4/14/2026, 4:04:38 PM
Last updated: 5/22/2026, 7:14:04 PM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.