Fedify Regular Expression Denial-of-Service Vulnerability in Document Loader

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Fedify TypeScript library, specifically in versions prior to 1.6.13, 1.7.14, 1.8.15, and 1.9.2. The issue arises in the document loader's HTML parsing, where the regex used contains nested quantifiers. This flaw allows an attacker-controlled server to send a small (approximately 170 bytes) malicious HTML payload that causes catastrophic backtracking in the regex engine. As a result, the Node.js event loop can be blocked for over 14 seconds, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a significant delay in the Node.js event loop, disrupting the application's ability to process other requests. This can lead to timeouts and degraded performance, with potential for sustained service unavailability if the attack is repeated.

Reproduction

The vulnerability can be reproduced by sending a crafted HTML response to a Fedify application that uses the built-in document loader to fetch external content. The response should include a payload that exploits the vulnerable regex, such as an unclosed anchor tag with repeated attributes, which triggers the catastrophic backtracking.

Remediation

Users can upgrade to Fedify versions 1.6.13, 1.7.14, 1.8.15, or 1.9.2, all of which include the necessary fix. Instructions for downloading these versions are available on the Fedify GitHub Releases page.