CVE-2025-68475
HIGH
7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0011
Percentile
0,3th
Updated
EPSS Score Trend (Last 84 Days)
1333
Inefficient Regular Expression Complexity
DraftCommon Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu)
Applicable Platforms
All platforms may be affected
https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc54…
https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1…
https://github.com/fedify-dev/fedify/releases/tag/1.6.13
https://github.com/fedify-dev/fedify/releases/tag/1.7.14
https://github.com/fedify-dev/fedify/releases/tag/1.8.15
https://github.com/fedify-dev/fedify/releases/tag/1.9.2
https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93