We've released BotKit 0.3.1 with an important security fix.
This update addresses CVE-2025-68475 (High severity, CVSS 7.5), a ReDoS vulnerability in Fedify's HTML parsing that could cause denial of service.
If you're using BotKit 0.3.x, please upgrade to 0.3.1 as soon as possible.
Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.
이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.
모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.
| 항목 | 상세 |
|---|---|
| CVE | CVE-2025-68475 |
| 심각도 | 높음 (CVSS 7.5) |
| 조치 | Hollo 0.6.19로 업그레이드 |
FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。
この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。
すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。
| 項目 | 詳細 |
|---|---|
| CVE | CVE-2025-68475 |
| 深刻度 | 高 (CVSS 7.5) |
| 対応 | Hollo 0.6.19 にアップグレード |
We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.
This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.
We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.
| Field | Details |
|---|---|
| CVE | CVE-2025-68475 |
| Severity | High (CVSS 7.5) |
| Action | Upgrade to Hollo 0.6.19 |
I mean, if you really want end to end encryption then just put a contact for that into your profile and then if someone wants to securely DM you they can, and they have the properly implemented and battle tested double ratchet and all that. But no, apparently that's not good enough and it has to be a one stop shop and every fediverse implementation will have to roll its own end-to-end crypto, probably with years of interop bugs and leaks ahead.
security sigh ActivityPub
I'm happy with this #MLS #e2ee development.
Just not with the way in which the #ActivityPub #fediverse now evolves, i.e. on the basis of protocol decay, tech debt, and whack-a-mole development. Which have been my #sighs and frustration in the past years of #SocialHub facilitation and #SocialWeb advocacy.
Where I have use cases is in Personal #SocialNetworking, to enable #DelightfulCommons participation, and subsequently work collectively on #GrassrootsStandards
https://coding.social/introduction/#personal-social-networking
@DaddyRRobertSE 
@django 
@reslRachel E. S. Lösche
Fabulous! I took note in the #ActivityPub #C2S tracking issue I keep on the delightful #fediverse experience curated list.
https://codeberg.org/fediverse/delightful-fediverse-experience/issues/130#issuecomment-9083289
Free Software that I rely on. One per day.
Day 18:
MKVToolNix
This is a tool kit of utilities, including a GUI front end, for manipulating Matroska streaming multimedia files (usually "MKV" or "MKA" files).
The Matroska container format allows for multiple audio, video, and text streams, which means you can encode a video with multiple options for audio and subtitles (as well as alternate video tracks).
It also supports setting up "Chapter" marks.
A must-have for authoring and checking complex videos for streaming and download use.
Free Software that I rely on. One per day.
Day 19:
PeerTube
PeerTube is the main federated video publishing platform, with an interface similar to YouTube, DailyMotion, Vimeo, etc.
Videos are federated like other posts on the Fediverse, as are comments.
It supports many channels and playlists per user.
Discoverability is still a little weak, and the total volume is small compared to the corporate behemoths, but we do have Framasoft's "Sepia Search" service, and the PeerTube universe is growing.
Our PeerTube server is probably the 2nd most important web application I'm running on our server. This has become my primary publication point for both "Lunatics!" and "Film Freedom".
https://joinpeertube.org
https://sepiasearch.org/
Our own server:
https://tv.filmfreedom.net
A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.
| CVE ID | CVE-2025-68475 |
| Severity | High (CVSS 7.5) |
| Affected versions | ≤1.9.1 |
| Patched versions | 1.6.13, 1.7.14, 1.8.15, 1.9.2 |
If you're running Fedify in production, please upgrade to one of the patched versions immediately.
For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability.
朝から話題にもなっていますが、ThreadsのFediverse連合機能がメンテナンスモードに移行したということで。
この記事を雑に一言でまとめると「MetaはFediverseを上手く利用したよね!」ってことなんだけど、確かにそんな感じではあるよな…。
Fediverse Report -#147 – Connected Places
https://connectedplaces.online/reports/fediverse-report-147/
ずっと中途半端な実装のままでいまさら使う人が少ないから開発やめるって言われると「 #Fediverse 
は SNS の未来です」とか言ってたアレはなんだったんすか #Threads さん、という気持ちにはなるけど、
まあ、単純に商売にならないからやめるんだろうし、Meta が掲げる "SNS の未来" って言葉の重みなんてその程度ですよね〜 
ってなっている
Threads wants to be the app you can’t wait to open in the morning | The Verge
https://www.theverge.com/column/847806/head-of-threads-interview
Did you know that I have a website where I curate apps, websites, and resources for not only the Fediverse (ActivityPub) but for ATProto as well?
Check it out here: https://qrurls.app/fediverseresources/
I'm always looking for contributors and assistant curators. Reach out if you're interested.
#FediverseResources #ATProtoResources #BlueskyResources #fediverse #atproto #activitypub
It's my birthday today! Hard to feel very celebratory with everything that's going on in the world, but it would make my day knowing that people are still finding the strength to be kind to others, as well as to themselves.
And hey, if you have some spare cash, here are some of the causes and organizations I care about:
Support my work | Stefan Bohacek
If you find any of my work useful, please consider donating to some of these organizations and causes: And here are some software projects I use that you can support: If you insist on giving me money directly, here are your options: Thank you! Also, if you represent an organization, please see the Stefan’s Open...
stefanbohacek.com
Link author: 
Stefan Bohacek@stefan@stefanbohacek.online
@stefanStefan Bohacek Happy Birthday Stefan!! Thanks for all the good work that you do, you make the #fediverse a better place singlehandedly!! 
🎂 🎉
Servers
- Mbin v1.9.0
- stegodon v1.4.3
- PeerTube v8.0.1
- ActivityPub for WordPress v7.8.0
- Ktistec v3.2.4
- Manyfold v0.130.0
- Wafrn v2025.12.03
- Misskey v2025.12.1
- Gancio v1.28.2
- appy v0.4.0
- Loops v1.0.0-beta.6
- PieFed v1.3.8
- NodeBB v4.7.1
- Enigmatick ActivityPub C2S
- A year in Hubzilla development
- Photografedi: An ActivityPub powered photo sharing website! Inspired by Flickr and Pixelfed
Clients
- PeerTube Mobile v2.0
- Voyager v2.42.0
- Blorp v1.10.1
- Interstellar v0.11.1
Tools and Plugins
Articles
- Announcing Key Transparency for the Fediverse
- Adding a NSFW filter to Images on Writefreely
- Ghost's ActivityPub Integration Feels Half-Baked
- holos.social - How It Works
- Implementing Encrypted Messaging over ActivityPub
- Fediverse Report - #147
-----
#WeekInFediverse #Fediverse #ActivityPub
Previous edition: https://mitra.social/objects/019b1423-50e8-e8c5-d918-9946b14bb67e
RE: https://socialwebfoundation.org/2025/12/19/implementing-encrypted-messaging-over-activitypub/
Big news for the #Fediverse! End-to-end encryption is coming to #ActivityPub.
@swf with support from 
@sovtechfundSovereign Tech Agency is coordinating two interoperable implementations.
Bonfire is proud to be one of these first two projects, alongside #Emissary by 
@benpateBen Pate 🤘🏻
We think #E2EE should simply be the default for any private communications, and we’re especially thrilled to bring private, trusted collaboration to the fediverse.
Meta, which recently joined the newly founded #SocialWebFoundation, "cut 21,000 jobs, including in trust and safety and customer service, over multiple rounds of layoffs", leading state and local officials "puzzled by what to expect from Facebook" around voting misinformation.
#news #TechNews #SocialMedia #meta #facebook
Meta, one of the early members of the #SocialWebFoundation, has put the fediverse integration in Threads into a "maintenance mode".
https://connectedplaces.online/reports/fediverse-report-147/
Fediverse Report 147 - this week's #fediverse news:
Threads is putting their fediverse integration on maintenance mode after it has seen very little use, signalling the end to a tumultuous period for the fediverse. Zuckerberg's belief in decentralised social networking, saying in 2023 that he "has always believed in this stuff", might not be so strong after all
https://connectedplaces.online/reports/fediverse-report-147/
Imagine a social network that can’t be bought, sold, or controlled by a billionaire.
A place where communities govern themselves, and your data stays yours. That's Mastodon. Join us in turning that vision into reality.
Donate to power people-first social media: #SupportMastodon
@Mastodon there's so much more on the #fediverse
The fediverse is so much more than only mastodon
Pixelfed is broken. Cc: 
@mastodonmigration 
@tchambersTim Chambers and anyone else in the fediverse advocacy space who will listen.
@dansup and the #Pixelfed project are well aware of this.
@pixelfed has extremely broken ActivityPub support and has for a year (possibly more).
For reference:
https://github.com/pixelfed/pixelfed/issues/4858
This is completely unacceptable and has been going on for ages. @dansup who will no doubt block this account and ignore the issues continues to ignore these issues.
#openweb #fediverse 
@nlnet
Calling all #fediverse developers for help: I'm currently trying to implement a #reporting (#flag) feature for Hackers' Pub, an #ActivityPub-enabled community for software engineers. Is there a formal specification for how cross-instance reporting should work in ActivityPub? Or, is there any well-documented material that explains how the major implementations handle it?
"How We Lost Communication to Entertainment"
A following of my post about PixelFed
https://ploum.net/2025-12-15-communication-entertainment.html
Also available on #gemini :
gemini://ploum.net/2025-12-15-communication-entertainment.gmi
Fediverse friends and acquaintances:
when self-hosting a service, what do you prefer?
I need your help to improve the developer experience (DevX) of #badgefed. #fediverse #askfedi #mastodon #activitypub
matoken 
@matokenmatoken :fox: さんが記事を書いてたsnacだけど告知ボットによさそう。Bridgy Fedで連携できるのかな? BlueSkyは使う気ないけどブリッジできるなら両方に流せていいかもと思った #activitypub #fediverse
さくらのVPSで試す、軽量ActivityPub実装「snac」によるセルフホストSNS構築 | さくらのナレッジ: https://knowledge.sakura.ad.jp/48228/
I have Markdown editing working in Ktistec!
Which post was written in Markdown?
Voilà!
This is an often requested feature. It also makes Ktistec usable in browsers when JavaScript is disabled. The Markdown editor supports autocomplete and autosave, just like the rich text editor. Expect this to show up in the next release.
There is a Fediverse alternative to #Substack called #Ghost.
Ghost is now compatible with the Fediverse. It's not just a feed, Ghost-powered sites can take part in discussions with Mastodon etc accounts, the follows work in both directions etc.
There's a guide to using Ghost-powered sites on the Fediverse here:
➡️ https://fedi.tips/how-to-use-the-fediverse-on-your-ghost-powered-site
Some Ghost-powered sites to follow at:
➡️ https://fedi.directory/tag/ghost
(Copy-paste an address into the search box in Mastodon to follow.)
Hallo liebes #Fediverse!
Wir sind #Senfcall und bieten #Datenschutz-freundliche Videokonferenzen mit #BigBlueButton an - ganz ohne Anmeldung!
Wir sind Studierende aus #Darmstadt und #Karlsruhe, die zeigen wollen, dass es auch Alternativen zu den propritären Anbietern gibt, die Zuverlässigkeit und #Privatsphäre vereinen.
Schaut auf unserer Website vorbei und probiert es einfach mal aus.
Wir freuen uns auf euch!
#Introduction #Vorstellung #Neuhier #OpenSource #FreeSoftware #Hosting
Hello #fediverse,
we are #Senfcall and we are #hosting #privacy-friendly #BigBlueButton #videoconferences.
Free as in #freedom AND #free as in beer. (donations are welcome)
You don't even have to register an account (unless you need persistent rooms). Just visit https://senfcall.de/en/ - klick on "start meeting", enter meeting name (password optional), press "start" enter your name and have fun senfing. The call-invite link you find at the top of the chat.
Jaaa! Gleich zum Segment über die sicherheitspolitische Bedeutung des #fediverse gesprungen. Warum öffentliche Stellen alle, wie die angenehm kritikfähige Stadt 
@mainz_deLandeshauptstadt Mainz einen Account hier haben sollten. Danke 
@lagedernation https://chaos.social/@lagedernation/115737135425714682
As 
@FreddieJFreddie Johnson comes to the end of his time with the Newsmast Foundation team, we'd like to take a moment to celebrate all he's achieved.
Freddie has been with us since the start, from the original idea and through the many evolutions that have grown Newsmast.
Instrumental in building our relationships with others in this space, he has helped build the Foundation into what you see today.
We really hope that Freddie will stay involved in the Social Web, especially in areas of advocacy and policy where he excels.
But, for now, we just want to say a huge thank you 🧡
In the spirit of John Mastodon Day, I just want to reiterate how grateful I am for all of you.
You’ve been a source of joy and a lifeline of sanity (and, when necessary, insanity) all year. ❤️
#JohnMastodonDay #Fediverse #Mastodon
Seriously, you cannot celebrate John Mastodon Day without listening to this awesome song by 
@dgar
It's so good! It's the Mastodon anthem!
Read the lyrics! 😆 
I strongly encourage a Bandcamp buy on this: https://dgar.bandcamp.com/track/john-mastodon-ft-andre-louis
#JohnMastodonDay #JohnMastodon #Mastodon #Fediverse #Bandcamp
Have you seen the #fosdem social web track? If not, take a look at the schedule and see you there, a lots of amazing talks!
I'm thinking of uninstalling the excellent #Wordpress #ActivityPub Plugin and defederating my sites from the #Fediverse. For technical reasons only. CPU goes through the roof when new posts are boosted for the first time, causing 508 errors.
Does anyone else suffer from this problem and have any suggestions to lighten the load?
Maybe I’m overreacting and should just live with the minute or two of daily downtime?
I have Litespeed cache installed.
Affected sites: @dinotoyblog 
@blog@animaltoyforum.comAnimal Toy Blog @blog@monstertoyblog.com
ActivityPub for WordPress @activitypub.blog@activitypub.blog
As the year wraps up, ActivityPub 7.8.0 lands with stronger moderation tools, more flexible reactions, and a small surprise. Subscribe to shared blocklists with automatic updates and bulk-import domain blocks. Reactions now support a clean, avatar-free summary view. Plus, curious users can preview the new experimental Social Web Reader inside WordPress admin.
Read more →🚀 Wow! Seit Montag ist die #Hochschulrektorenkonferenz #NeuHier im #Fediverse!
👉 
@HRK_aktuellHochschulrektorenkonferenz
Herzlich willkommen 👋, es freut uns sehr!
Mit gutem Beispiel voran für unabhängige und souveräne #Wissenschaftskommunikation!
➡️ Weitersagen!
#WissKomm #SciComm #Science #Wissenschaft #Bildung #FediLZ #Universität #education #Hochschule #FediCampus #DigitaleSouveränität #DigitalSovereignty #SocialMedia #SaveSocial #WissXit #Musk
A nice list of online places where you can find human-curated music.
And we have a ton of music sites, blogs, directories, and people making mixtapes right here in the fediverse!
- a directory of independent artists: https://indieart.support
- The Indie Beat Radio https://theindiebeat.fm
- The https://www.audiointerface.org online radio
- NHAM: https://nham.co.uk/
- Ether Diver's Other People’s Music playlists https://www.etherdiver.com/tag/other-peoples-music/
And more!
https://nham.co.uk/category/community/distribution-platforms/
Have a nice evening, #BSDCafe
Have a nice evening, #illumosCafe
Have a nice evening, #Fediverse
Waiting for the proper time to have dinner, relaxing.
https://song.link/s/51qqSdQOsPkMOvG8g09r96
#Music #MastoMusic #MastoRadio #FediMusic #FediRadio #Jazz #Relax
Is it correct to say the #Fediverse and #BlueSky are "federated" by protocol bridges? I have similar question related to #Nostr and #Threads and other bridged protocols. Given the #Fediverse is #ActivityPub, what this larger federated social web called?
Nummer Elf habe ich dem #Fediverse ja auch noch nicht vorgestellt. Er ist im Februar geboren und ein Sohn von Nummer Drei, der Einzige aus drei Würfen, der in der Gegend blieb.
Schon als Baby guckte er ganz selbstbewusst in die Gegend, mittlerweile ist er ein stattlicher Eichkater. Im Juli hatte er eine schwere Verletzung am Schwanz, die zum Glück wieder vollständig ausgeheilt ist.
#Eichhörnchen #squirrels
transphobia, unfair moderation, platform issues
Reddit is officially on my hit list, and honestly, I’m just tired. I was banned for literally saying “I’m trans.” That’s it. No arguments, no insults, no rule breaking just existing as myself. What is actually going on with the internet right now?
On top of that, I also got banned from my favorite anime subreddit for sharing my thoughts about One Punch Man Season 3 specifically the episode with the Monster Garou encounter and saying it looked AI-generated. I wasn’t attacking anyone, I wasn’t being hostile, I was just trying to have a discussion.
Right now, Reddit feels really bad to be on. Moderation feels inconsistent and overly harsh, and it honestly feels like you can get punished just for speaking openly or having an opinion. I’m not even trying to fully drag Reddit anymore because I’m exhausted from constantly calling out platforms but this crossed a line.
I’m just frustrated. Being trans shouldn’t be controversial, and having a discussion about media shouldn’t get you kicked out of a community you enjoy. At this point, it feels like being honest online is treated like a problem, and I’m really over it.
#fediverse #reddit #community
Fediway brings algorithmic feeds to Mastodon.
https://github.com/fediway/fediway
(Found it on Reddit. Haven't tried it yet.)
Todd Sundsted @toddsundsted@epiktistes.com
The big feature in release v3.2.4 of Ktistec is support for viewing and voting on Mastodon polls (AKA FEP-9967: Polls). This feature took a surprising amount of work. Some of the effort was due to my struggles with visual design, but getting the behavior right was also tricky. For example, a "vote" is just an ActivityPub Note, but unlike other notes, it shouldn't appear in a poll's replies (it could, but that would be redundant and confusing). So I had to add exceptions throughout the code to deal with this. A custom Vote object type would have been nice in the original implementation.
Added
Fixed
title attributes are now preserved.Changed
Thank you @jayvii for the build fix!
#ktistec #crystallang #activitypub #fediverse
Fediverse pals, if your instance is run by a non-profit organization or a volunteer, now is a good time to see if they need a donation.
I don't take for granted my instance moderators 
@timTim W RESISTS 
@joshRobin the Mod (fka Josh) 
@crsChris Schmidt (u.p mod) 
@doug, especially as all other forms of social media enshittify.
Threads bloked en mstdn.social para mi-
Ya que no lo hacen ellos y lo dejan a merced del usuarios lo hago yo y espero muchos sigan mi camino.
https://mastodon.social/@coloco/112204103332538506 No quiero ver a este sdespreciable ser en mi TL y menos con esa plataforma que se nos intenta unir al #fediverse para destruirnos.
Mozilla の CEO 、別の人に変わったみたいですね。
Mozilla での社歴も短めで、 もともと OSS 界隈の人ではないということで、「(望む人には)Firefox を "AI ブラウザー" として使えるようにする」みたいな方針を打ち出したことも #Fediverse 界隈では余計にネガティブに受け止められている感じがする…
個人的には、 AI ブラウザー(AI が自律的にWebブラウザをコントロールするタイプ)は、まだ安全性が担保されてない感じがするのでいまのところ Not for me だけど、
それでも、まあ未来のプランとして AI を活用するという道も残している事自体は別にそこまで否定的ではないし、
( #Vivaldi 
みたいにはっきり AI の組み込みに距離を置くという姿勢も個人的には支持してるけど、 Vivaldi のスタンスはあくまで安全性とか持続性が担保できないから今は距離を置いているというだけで、機械学習的なアプローチとかを否定しているものではないとおもっている)
なにより Blink ではないレンダリングエンジンのブラウザーとして Firefox にはちゃんと存在感を示して欲しいという気持ちが強い。
…んだけど、いま現在 Firefox を支持している層が傾向としてどんな考えを持っているかとかを考えると、ネガティブに取られてしまう人選である感じはするし、
逆にとくに意識せずに Chrome とか Edge とか使ってる層にもいまのところ Firefox が「ブラウザーを乗り換える」というアクションを起こさせるほど魅力的に見えるようになっているかというと、なってないだろうなーと思うし、仮に Firefox がいわゆる AI ブラウザーになったとしてもやっぱりユーザーをそういうふうに動かすほどの訴求力はないんじゃないかなあという気がするし(わからんけど)
結局いまのところ、既存の Firefox ユーザーが他ブラウザー(Waterfox とか LibreWolf とか Vivaldi とかが乗り換え先として名前が挙がっているのを英語圏のやりとりで見た)に流出してるだけのように見える。
Mozilla が心配 
I just wrote about Ghost, and how I think its #Fediverse integration is still lacking. I love the platform, but I want to see their embrace of the Social Web really succeed.
https://deadsuperhero.com/ghosts-activitypub-integration-feels-half-baked/
I am so grateful for the Fediverse 
That's all. That's the post.
#Fediverse
I’m happy to announce WhyPost, a Flutter-based app currently available as a beta release.
WhyPost lets you connect multiple Fediverse accounts in one app, including Mastodon, Akkoma, Pleroma, GoToSocial, and Friendica.
Download (Beta):
https://codeberg.org/whypost/whypost-mobile/releases
The app already supports creating posts, replies, reposts, comments, editing profiles, and deleting posts.
There are still bugs, so feedback is welcome via our Matrix room.
#fediverse #mastodon #akkoma #pleroma #gotosocial #friendica
On #Mastodon there are now
413 verified accounts from #news organizations in
21 languages and on
121 instances.
262 were active today.
Some accounts, that were active today are 
@LesRepliquesLes Répliques (FRA)
@blogoklahoma (ENG)
@appgefahrenappgefahren.de - Tech-Blog (GER)
@TexasObserver (ENG)
@WesternWayneNews (ENG)
Find the whole list on:
➡️ https://fingolas.eu/fediverse/overview.html
Built by 
@mhoMartin Holland
#MastodonMigration #SocialMedia #Fediverse #Media #Press #Newspaper #TwitterMigration #Newstodon
Happy John Mastodon Day to all those who celebrate!
Original, but updated, piece:
https://www.mediaite.com/opinion/hypocrisy-and-fear-all-the-way-down-at-twitter/
#JohnMastodon #JohnMastodon2025 #JohnMastodonDay #Fediverse #Mastodon
