CVE-2025-68475
Unknown Unknown - Not Provided
ReDoS Vulnerability in Fedify Document Loader Causes DoS

Publication date: 2025-12-22

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68475
EUVD
EUVD-2025-204741
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
fedify fedify to 1.6.13 (exc)
fedify fedify From 1.7.0 (inc) to 1.7.14 (exc)
fedify fedify From 1.8.1 (inc) to 1.8.15 (exc)
fedify fedify From 1.9.0 (inc) to 1.9.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68475 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Fedify TypeScript library's document loader. The issue arises from a flawed HTML parsing regular expression that contains nested quantifiers causing catastrophic backtracking when processing maliciously crafted HTML inputs. This leads to exponential processing time, blocking the Node.js event loop for over 14 seconds with a small malicious payload (~170 bytes). The vulnerability can be exploited remotely without any privileges or user interaction by an attacker-controlled federated server sending malicious HTML responses, causing the application to become unresponsive. [1]

Impact Analysis

This vulnerability can severely impact availability by causing a Denial of Service (DoS). When exploited, the vulnerable regex causes catastrophic backtracking, blocking the Node.js event loop and making the Fedify application unresponsive for extended periods (14+ seconds). This prevents the application from handling other events efficiently, leading to service outages. The attack requires no privileges, has low complexity, and can be executed remotely by sending a crafted malicious HTML payload. [1, 2, 3, 5]

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or event loop blocking in Node.js applications using vulnerable versions of Fedify when processing HTML responses from federated servers. A practical detection method is to observe delays or timeouts during calls to lookupObject fetching federated actor profiles. While no specific detection commands are provided, you can use Node.js profiling tools or monitoring commands such as `top`, `htop`, or `pidstat` to detect high CPU usage. Additionally, running the provided proof-of-concept (PoC) Node.js script or Docker-based PoC from Resource 1 can help reproduce and detect the vulnerability in a controlled environment. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the @fedify/fedify package to one of the patched versions: 1.6.13, 1.7.14, 1.8.15, or 1.9.2. Additionally, enforce maximum response body size limits (e.g., 1MB) before applying the regex processing to prevent large malicious inputs. If upgrading is not immediately possible, consider refactoring or replacing the vulnerable regex with safer patterns that avoid nested quantifiers or use atomic grouping/possessive quantifiers where supported. These steps will prevent catastrophic backtracking and reduce the risk of denial of service. [1, 2, 3, 5, 7]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart