CVE-2025-68475

EUVD-2025-204741

22.12.2025, 22:16

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
fedify	fedify	𝑥 < 1.6.13
fedify	fedify	1.7.0 ≤ 𝑥 < 1.7.14
fedify	fedify	1.8.1 ≤ 𝑥 < 1.8.15
fedify	fedify	1.9.0 ≤ 𝑥 < 1.9.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93

Common Weakness Enumeration

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779

https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a

https://github.com/fedify-dev/fedify/releases/tag/1.6.13

https://github.com/fedify-dev/fedify/releases/tag/1.7.14

https://github.com/fedify-dev/fedify/releases/tag/1.8.15

https://github.com/fedify-dev/fedify/releases/tag/1.9.2

https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93