CVE-2025-68475

Exploit

EPSS 0.19%
Veröffentlicht 22.12.2025 21:31:20
Zuletzt bearbeitet 17.03.2026 19:39:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fedify ≫ Fedify Version < 1.6.13

Fedify ≫ Fedify Version >= 1.7.0 < 1.7.14

Fedify ≫ Fedify Version >= 1.8.1 < 1.8.15

Fedify ≫ Fedify Version >= 1.9.0 < 1.9.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.403

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Vendor Advisory

Exploit

Mitigation

https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779

Patch

https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a

Patch

https://github.com/fedify-dev/fedify/releases/tag/1.6.13

Product

Release Notes

https://github.com/fedify-dev/fedify/releases/tag/1.7.14