Cyber Resilience

CVE-2026-34148

HighPublic PoCDDoS

Published: 06 April 2026

Published
06 April 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34148 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Fedify Fedify\/Fedify. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-34148 affects Fedify, a TypeScript library (@fedify/fedify) used for building federated server applications powered by ActivityPub. In versions prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, the library's remote document loader and authenticated document loader recursively follow HTTP redirects without enforcing a maximum redirect count or implementing visited-URL loop detection. This flaw, associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.

An attacker who controls a remote ActivityPub key or actor URL can exploit this vulnerability by crafting malicious redirects that trigger repeated outbound HTTP requests from a single inbound request to a vulnerable Fedify-based server. This leads to excessive resource consumption, resulting in denial-of-service conditions. Exploitation requires no privileges or user interaction, making it accessible over the network with low complexity.

The Fedify security advisory (GHSA-gm9m-gwc4-hwgp) and release notes for versions 1.9.6, 1.10.5, 2.0.8, and 2.1.1 confirm that the issue is fixed by adding redirect limits and loop detection in the document loaders. Security practitioners should upgrade to one of these patched versions to mitigate the vulnerability.

EU & UK References

Vulnerability details

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count…

more

or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables endpoint denial of service via application or system exploitation by allowing crafted redirects to trigger uncontrolled resource consumption in the document loader.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25762Shared CWE-400, CWE-770
CVE-2026-25673Shared CWE-400, CWE-770
CVE-2026-40192Shared CWE-400, CWE-770
CVE-2026-34826Shared CWE-400, CWE-770
CVE-2026-42583Shared CWE-400, CWE-770
CVE-2026-25535Shared CWE-400, CWE-770
CVE-2026-41309Shared CWE-400, CWE-770
CVE-2025-70069Shared CWE-400, CWE-770
CVE-2025-68272Shared CWE-400, CWE-770
CVE-2026-22815Shared CWE-400, CWE-770

Affected Assets

fedify
fedify\/fedify
≤ 1.9.6 · 1.10.0 — 1.10.5 · 2.0.0 — 2.0.8
fedify
fedify\/vocab-runtime
≤ 2.0.8 · 2.1.0 — 2.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly protects against denial-of-service attacks, including resource exhaustion from unlimited recursive HTTP redirects in Fedify's document loaders.

prevent

Mitigates resource exhaustion by implementing controls that limit consumption triggered by repeated outbound requests from malicious redirects.

prevent

Ensures timely remediation of the specific flaw in Fedify by upgrading to patched versions that add redirect limits and loop detection.

References