Fedify: ActivityPub server framework @fedify@hollo.social
Public

🚨 Security Advisory: CVE-2025-68475

A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.
CVE ID CVE-2025-68475
Severity High (CVSS 7.5)
Affected versions ≀1.9.1
Patched versions 1.6.13, 1.7.14, 1.8.15, 1.9.2

If you're running Fedify in production, please upgrade to one of the patched versions immediately.

For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability.

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

github.com Β· GitHub

0
1
0

If you have a fediverse account, you can quote this note from your own instance. Search https://hollo.social/@fedify/019b3a2d-d73a-7086-99ab-7a462b3b115e on your instance and quote it. (Note that quoting is not supported in Mastodon.)