CVE-2026-34148: Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
@fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.
References
- github.com/advisories/GHSA-gm9m-gwc4-hwgp
- github.com/fedify-dev/fedify
- github.com/fedify-dev/fedify/releases/tag/1.10.5
- github.com/fedify-dev/fedify/releases/tag/1.9.6
- github.com/fedify-dev/fedify/releases/tag/2.0.8
- github.com/fedify-dev/fedify/releases/tag/2.1.1
- github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp
- nvd.nist.gov/vuln/detail/CVE-2026-34148
Code Behaviors & Features
Detect and mitigate CVE-2026-34148 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →