Hollo :hollo: @hollo@hollo.social
Public

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

Field Details
CVE CVE-2025-68475
Severity High (CVSS 7.5)
Action Upgrade to Hollo 0.6.19

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

github.com Β· GitHub

Hollo :hollo: @hollo@hollo.social
Public

λ³΄μ•ˆ μ—…λ°μ΄νŠΈ: Hollo 0.6.19 릴리슀

Fedify의 HTML νŒŒμ‹± μ½”λ“œμ—μ„œ 발견된 λ³΄μ•ˆ 취약점을 μˆ˜μ •ν•œ Hollo 0.6.19λ₯Ό λ¦΄λ¦¬μŠ€ν–ˆμŠ΅λ‹ˆλ‹€.

이 취약점(CVE-2025-68475)은 ReDoS(μ •κ·œ ν‘œν˜„μ‹ μ„œλΉ„μŠ€ κ±°λΆ€) 문제둜, κ³΅κ²©μžκ°€ μ—°ν•© μž‘μ—… 쀑 νŠΉμˆ˜ν•˜κ²Œ μ‘°μž‘λœ HTML 응닡을 보내 μ„œλΉ„μŠ€ μž₯μ• λ₯Ό μœ λ°œν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ•…μ„± νŽ˜μ΄λ‘œλ“œλŠ” μž‘μ§€λ§Œ(μ•½ 170λ°”μ΄νŠΈ), Node.js 이벀트 루프λ₯Ό μž₯μ‹œκ°„ 차단할 수 μžˆμŠ΅λ‹ˆλ‹€.

λͺ¨λ“  Hollo μš΄μ˜μžλΆ„λ“€κ»˜ μ¦‰μ‹œ 버전 0.6.19둜 μ—…κ·Έλ ˆμ΄λ“œν•˜μ‹€ 것을 κ°•λ ₯히 κΆŒκ³ λ“œλ¦½λ‹ˆλ‹€.

ν•­λͺ© 상세
CVE CVE-2025-68475
심각도 λ†’μŒ (CVSS 7.5)
쑰치 Hollo 0.6.19둜 μ—…κ·Έλ ˆμ΄λ“œ

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! πŸ‘‹ Thank you for your work on Fedifyβ€”it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

github.com Β· GitHub

1
1
0

If you have a fediverse account, you can quote this note from your own instance. Search https://hollo.social/@hollo/019b3b9f-51e7-7da9-8e73-b25173ab456e on your instance and quote it. (Note that quoting is not supported in Mastodon.)