CVE-2025-68475
ReDoS Vulnerability in Fedify Document Loader Causes DoS
Publication date: 2025-12-22
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fedify | fedify | to 1.6.13 (exc) |
| fedify | fedify | From 1.7.0 (inc) to 1.7.14 (exc) |
| fedify | fedify | From 1.8.1 (inc) to 1.8.15 (exc) |
| fedify | fedify | From 1.9.0 (inc) to 1.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68475 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Fedify TypeScript library's document loader. The issue arises from a flawed HTML parsing regular expression that contains nested quantifiers causing catastrophic backtracking when processing maliciously crafted HTML inputs. This leads to exponential processing time, blocking the Node.js event loop for over 14 seconds with a small malicious payload (~170 bytes). The vulnerability can be exploited remotely without any privileges or user interaction by an attacker-controlled federated server sending malicious HTML responses, causing the application to become unresponsive. [1]
How can this vulnerability impact me? :
This vulnerability can severely impact availability by causing a Denial of Service (DoS). When exploited, the vulnerable regex causes catastrophic backtracking, blocking the Node.js event loop and making the Fedify application unresponsive for extended periods (14+ seconds). This prevents the application from handling other events efficiently, leading to service outages. The attack requires no privileges, has low complexity, and can be executed remotely by sending a crafted malicious HTML payload. [1, 2, 3, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage or event loop blocking in Node.js applications using vulnerable versions of Fedify when processing HTML responses from federated servers. A practical detection method is to observe delays or timeouts during calls to lookupObject fetching federated actor profiles. While no specific detection commands are provided, you can use Node.js profiling tools or monitoring commands such as `top`, `htop`, or `pidstat` to detect high CPU usage. Additionally, running the provided proof-of-concept (PoC) Node.js script or Docker-based PoC from Resource 1 can help reproduce and detect the vulnerability in a controlled environment. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the @fedify/fedify package to one of the patched versions: 1.6.13, 1.7.14, 1.8.15, or 1.9.2. Additionally, enforce maximum response body size limits (e.g., 1MB) before applying the regex processing to prevent large malicious inputs. If upgrading is not immediately possible, consider refactoring or replacing the vulnerable regex with safer patterns that avoid nested quantifiers or use atomic grouping/possessive quantifiers where supported. These steps will prevent catastrophic backtracking and reduce the risk of denial of service. [1, 2, 3, 5, 7]