Fedify security updates: 1.6.13, 1.7.14, 1.8.15, and 1.9.2 #495
dahlia
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
All Fedify users should update to the latest patched versions. A ReDoS (Regular Expression Denial of Service) vulnerability (CVE-2025-68475) has been discovered in Fedify's HTML parsing code that allows attackers to cause denial of service by sending specially crafted HTML responses.
This vulnerability affects all Fedify instances that fetch remote actors or objects from potentially untrusted federated servers. An attacker-controlled server can respond with a small (~170 bytes) malicious HTML payload that blocks the Node.js event loop for 14+ seconds, causing service unavailability.
The following versions contain the security fix: 1.6.13, 1.7.14, 1.8.15, and 1.9.2. Users should update immediately using their package manager with commands such as
npm update @fedify/fedify,yarn upgrade @fedify/fedify,pnpm update @fedify/fedify,bun update @fedify/fedify, ordeno update @fedify/fedify.After updating, redeploy your application immediately. Please also inform other Fedify operators about this update to ensure the availability of the entire federation network.
Please update now and feel free to leave comments below if you have any questions.
Beta Was this translation helpful? Give feedback.
All reactions