Executive Summary

CVE-2026-34148 is a vulnerability in the Fedify TypeScript library used for building federated server apps with ActivityPub. The issue arises because Fedify's remote document loader and authenticated document loader follow HTTP redirects recursively without any limit on the number of redirects or detection of redirect loops.

An attacker who controls a remote ActivityPub key or actor URL can exploit this by causing the server to follow an unbounded chain of HTTP 3xx redirects, including redirect loops. This forces the server to make many outbound HTTP requests from a single inbound request.

This behavior leads to excessive resource consumption such as CPU, network bandwidth, and worker threads, ultimately causing a denial of service (DoS) condition on the affected server.

The vulnerability is fixed in Fedify versions 1.9.6, 1.10.5, 2.0.8, and 2.1.1 by implementing redirect limits or loop detection to prevent unbounded redirect following.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing your Fedify-based server to consume excessive resources when processing ActivityPub requests.

• It can lead to denial of service (DoS) by exhausting CPU, network bandwidth, connection slots, and worker threads.
• An attacker can remotely trigger this without any authentication or user interaction by controlling a remote ActivityPub key or actor URL.
• Repeated redirect loops can cause the server to make tens or hundreds of outbound HTTP requests per single inbound request, potentially disrupting service availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests from your Fedify-based server, especially repeated or recursive HTTP 3xx redirects during ActivityPub key or document resolution.

Since the issue involves unbounded recursive HTTP redirects, you can look for excessive repeated HTTP requests to the same or looping URLs originating from your server.

Commands to help detect this behavior might include network monitoring and logging tools such as:

• Using tcpdump or tshark to capture outbound HTTP traffic and filter for repeated requests to the same URLs.
• Example tcpdump command: tcpdump -i <interface> -nn -s0 -A 'tcp port 80 or tcp port 443' | grep 'GET\|POST'
• Using curl with verbose output to manually test remote ActivityPub key or actor URLs for redirect loops.
• Example curl command: curl -v --max-redirs 10 <remote-activitypub-url>

Additionally, reviewing application logs for repeated failures or excessive remote key fetch attempts can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the @fedify/fedify and @fedify/vocab-runtime packages to the fixed versions.

• Upgrade @fedify/fedify to version 1.9.6, 1.10.5, 2.0.8, or 2.1.1 or later.
• Upgrade @fedify/vocab-runtime to version 2.0.8, 2.1.1 or later.

These patched versions implement limits on HTTP redirect following and detect redirect loops, preventing unbounded recursive requests.

Until you can upgrade, consider implementing network-level protections such as limiting outbound HTTP requests or applying rate limiting to reduce the impact of potential redirect loops.

Useful 0 Not Useful 0