CVE-2026-42462: CWE-180: Incorrect Behavior Order: Validate Before Canonicalize in fedify-dev fedify
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
AI Analysis
Technical Summary
CVE-2026-42462 describes a vulnerability in Fedify where JSON-LD documents can be restructured by an attacker to change how Fedify interprets them without changing the Linked Data Signature. This is due to incorrect behavior order: validation occurs before canonicalization, allowing signature validation to succeed on altered data. The vulnerability affects multiple versions before 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. These versions fix the issue by correcting the validation and canonicalization process order.
Potential Impact
An attacker can alter a third-party signed activity received by Fedify without invalidating its Linked Data Signature, potentially causing Fedify to process malicious or manipulated data. The CVSS score of 7.0 (high) reflects the network attack vector, high impact on integrity, and low impact on confidentiality and availability.
Mitigation Recommendations
Fixed versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 address this vulnerability. Users should upgrade to these or later versions to remediate the issue. No vendor advisory is provided to indicate alternative mitigations or temporary fixes.
CVE-2026-42462: CWE-180: Incorrect Behavior Order: Validate Before Canonicalize in fedify-dev fedify
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
CVSS v3.1
Score 7.0high
Affected software
pkg:npm/fedify-dev/fedifyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42462 describes a vulnerability in Fedify where JSON-LD documents can be restructured by an attacker to change how Fedify interprets them without changing the Linked Data Signature. This is due to incorrect behavior order: validation occurs before canonicalization, allowing signature validation to succeed on altered data. The vulnerability affects multiple versions before 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. These versions fix the issue by correcting the validation and canonicalization process order.
Potential Impact
An attacker can alter a third-party signed activity received by Fedify without invalidating its Linked Data Signature, potentially causing Fedify to process malicious or manipulated data. The CVSS score of 7.0 (high) reflects the network attack vector, high impact on integrity, and low impact on confidentiality and availability.
Mitigation Recommendations
Fixed versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 address this vulnerability. Users should upgrade to these or later versions to remediate the issue. No vendor advisory is provided to indicate alternative mitigations or temporary fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-27T13:55:58.694Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29d0220e53e738839869b0
Added to database: 6/10/2026, 8:59:14 PM
Last enriched: 6/10/2026, 9:15:41 PM
Last updated: 6/10/2026, 10:52:14 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.