7.5

CVE-2025-68475

Exploit

Fedify has ReDoS Vulnerability in HTML Parsing Regex

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FedifyFedify Version < 1.6.13
FedifyFedify Version >= 1.7.0 < 1.7.14
FedifyFedify Version >= 1.8.1 < 1.8.15
FedifyFedify Version >= 1.9.0 < 1.9.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.48% 0.376
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
Vendor Advisory
Exploit
Mitigation
https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779
Patch
https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a
Patch
https://github.com/fedify-dev/fedify/releases/tag/1.6.13
Product
Release Notes
https://github.com/fedify-dev/fedify/releases/tag/1.7.14
Product
Release Notes
https://github.com/fedify-dev/fedify/releases/tag/1.8.15
Product
Release Notes
https://github.com/fedify-dev/fedify/releases/tag/1.9.2
Product
Release Notes