CVE-2026-34148 Overview
CVE-2026-34148 is a Denial of Service (DoS) vulnerability affecting Fedify, a TypeScript library for building federated server applications powered by ActivityPub. The vulnerability exists in the library's remote document loader and authenticated document loader components, which follow HTTP redirects recursively without enforcing a maximum redirect count or implementing visited-URL loop detection. This flaw allows an attacker who controls a remote ActivityPub key or actor URL to force servers using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.
Critical Impact
Attackers can exploit the uncontrolled HTTP redirect handling to cause resource exhaustion on federated servers, potentially disrupting ActivityPub-based social networking services and federated applications.
Affected Products
- Fedify versions prior to 1.9.6
- Fedify versions 1.10.x prior to 1.10.5
- Fedify versions 2.0.x prior to 2.0.8
- Fedify versions 2.1.x prior to 2.1.1
Discovery Timeline
- April 6, 2026 - CVE-2026-34148 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34148
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw resides in Fedify's document loading mechanism, which is responsible for fetching remote ActivityPub resources such as actor profiles, public keys, and other federated content. When processing HTTP redirects, the library recursively follows redirect chains without implementing essential safeguards against redirect loops or excessive redirect chains.
In a typical ActivityPub implementation, servers need to fetch remote resources to verify signatures, retrieve actor information, and process federated activities. Fedify's document loaders handle these requests, but the absence of redirect depth limiting and loop detection creates an exploitable condition. An attacker can configure a malicious ActivityPub server to return redirect responses that either loop back to the same URL or create an extremely long redirect chain.
Root Cause
The root cause is the missing implementation of redirect loop protection mechanisms in Fedify's HTTP request handling. Specifically, the library lacks:
- Maximum redirect count enforcement - No upper limit on the number of redirects the library will follow for a single request
- Visited-URL tracking - No mechanism to detect and break circular redirect chains where a URL redirects back to a previously visited URL
This oversight allows malicious actors to craft redirect scenarios that cause the library to enter infinite or extremely long redirect loops, consuming server resources including network bandwidth, memory, and CPU cycles.
Attack Vector
The attack can be executed remotely over the network without requiring authentication. An attacker would need to:
- Control a remote server that can be referenced as an ActivityPub actor or key URL
- Configure that server to return HTTP redirect responses (3xx status codes) pointing either back to itself or to other URLs in a loop chain
- Trigger a Fedify-based application to fetch resources from the malicious URL, such as by sending a federated activity signed with a key hosted on the attacker's server
When the victim's Fedify application attempts to fetch the remote resource, it follows the redirects indefinitely, consuming resources until the request times out or the server becomes unresponsive. A single inbound request can generate numerous outbound requests, creating an amplification effect that exacerbates the denial of service impact.
Detection Methods for CVE-2026-34148
Indicators of Compromise
- Unusual spikes in outbound HTTP requests from Fedify-based applications
- Server resource exhaustion (high CPU, memory, or network utilization) correlated with ActivityPub federation activities
- HTTP request logs showing repeated redirect chains to the same set of URLs
- Connection timeouts or failures when processing federated activities from unknown or recently added remote actors
Detection Strategies
- Monitor outbound HTTP request patterns for abnormal redirect chain lengths exceeding typical thresholds (typically 5-10 redirects is normal)
- Implement network-level detection for repeated requests to the same external hosts within short time windows
- Deploy application performance monitoring to detect resource consumption anomalies tied to federation processing
- Review web application firewall logs for patterns indicating redirect loop exploitation attempts
Monitoring Recommendations
- Configure alerting on outbound request rate limits per remote host to identify amplification attacks
- Implement logging for HTTP redirect chains with visibility into redirect depth and target URLs
- Monitor server resource metrics (CPU, memory, network) with correlation to ActivityPub request processing times
- Establish baseline metrics for normal federation activity to enable anomaly detection
How to Mitigate CVE-2026-34148
Immediate Actions Required
- Upgrade Fedify to a patched version immediately: 1.9.6, 1.10.5, 2.0.8, or 2.1.1 depending on your current version branch
- If immediate upgrade is not possible, implement network-level controls to limit outbound request rates to external hosts
- Review ActivityPub federation logs for any signs of exploitation attempts
- Consider temporarily restricting federation with untrusted remote servers until patching is complete
Patch Information
Security patches are available in the following Fedify releases:
- Fedify 1.9.6 - For users on the 1.9.x branch
- Fedify 1.10.5 - For users on the 1.10.x branch
- Fedify 2.0.8 - For users on the 2.0.x branch
- Fedify 2.1.1 - For users on the 2.1.x branch
For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-gm9m-gwc4-hwgp.
Workarounds
- Implement a reverse proxy or web application firewall rule to limit the number of outbound connections per request
- Configure network-level rate limiting for outbound HTTP requests to external ActivityPub servers
- Temporarily disable federation features or restrict federation to a known-safe allowlist of remote servers until patching can be completed
- Deploy request timeout configurations at the infrastructure level to prevent individual requests from consuming resources indefinitely
# Example: Configure rate limiting for outbound connections (nginx proxy)
# Limit outbound requests to 10 per second per upstream
limit_req_zone $upstream_addr zone=fedify_outbound:10m rate=10r/s;
location /federation {
limit_req zone=fedify_outbound burst=20 nodelay;
proxy_pass http://fedify_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
