Hollo :hollo: @hollo@hollo.social
Public

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

Field Details
CVE CVE-2025-68475
Severity High (CVSS 7.5)
Action Upgrade to Hollo 0.6.19

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

github.com Β· GitHub

0
1
0

If you have a fediverse account, you can quote this note from your own instance. Search https://hollo.social/@hollo/019b3b9e-bb9f-766c-b0ae-5f6c6b02dbfd on your instance and quote it. (Note that quoting is not supported in Mastodon.)