CVE-2026-34148

Name of the Vulnerable Software and Affected Versions: Fedify versions prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1

Description: Fedify does not enforce a maximum redirect count or visited-URL loop detection when following HTTP redirects in its remote and authenticated document loaders. An attacker controlling a remote ActivityPub key or actor URL can exploit this to force the server to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. The issue occurs because the document loader recursively follows 3xx responses without a redirect cap or loop detection. Failed key fetches are not durably negatively cached, allowing repeated exploitation. A proof-of-concept demonstrates that a single request can trigger hundreds of outbound requests via self-redirects.

Recommendations: Upgrade to Fedify version 1.9.6, 1.10.5, 2.0.8, or 2.1.1.