Vulnerability Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedify | Fedify | < 1.6.13 |
Related Weaknesses (CWE)
References
- https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc548Patch
- https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1fPatch
- https://github.com/fedify-dev/fedify/releases/tag/1.6.13ProductRelease Notes
- https://github.com/fedify-dev/fedify/releases/tag/1.7.14ProductRelease Notes
- https://github.com/fedify-dev/fedify/releases/tag/1.8.15ProductRelease Notes
- https://github.com/fedify-dev/fedify/releases/tag/1.9.2ProductRelease Notes
- https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93ExploitMitigationVendor Advisory
FAQ
What is CVE-2025-68475?
CVE-2025-68475 is a vulnerability with a CVSS score of 7.5 (HIGH). Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerabil...
How severe is CVE-2025-68475?
CVE-2025-68475 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68475?
Check the references section above for vendor advisories and patch information. Affected products include: Fedify Fedify.