CVE-2026-34148
Published: 06 April 2026
Summary
CVE-2026-34148 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Fedify Fedify\/Fedify. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-34148 affects Fedify, a TypeScript library (@fedify/fedify) used for building federated server applications powered by ActivityPub. In versions prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, the library's remote document loader and authenticated document loader recursively follow HTTP redirects without enforcing a maximum redirect count or implementing visited-URL loop detection. This flaw, associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.
An attacker who controls a remote ActivityPub key or actor URL can exploit this vulnerability by crafting malicious redirects that trigger repeated outbound HTTP requests from a single inbound request to a vulnerable Fedify-based server. This leads to excessive resource consumption, resulting in denial-of-service conditions. Exploitation requires no privileges or user interaction, making it accessible over the network with low complexity.
The Fedify security advisory (GHSA-gm9m-gwc4-hwgp) and release notes for versions 1.9.6, 1.10.5, 2.0.8, and 2.1.1 confirm that the issue is fixed by adding redirect limits and loop detection in the document loaders. Security practitioners should upgrade to one of these patched versions to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19295
Vulnerability details
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count…
more
or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables endpoint denial of service via application or system exploitation by allowing crafted redirects to trigger uncontrolled resource consumption in the document loader.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against denial-of-service attacks, including resource exhaustion from unlimited recursive HTTP redirects in Fedify's document loaders.
Mitigates resource exhaustion by implementing controls that limit consumption triggered by repeated outbound requests from malicious redirects.
Ensures timely remediation of the specific flaw in Fedify by upgrading to patched versions that add redirect limits and loop detection.