Fedify Denial-of-Service Vulnerability via Unbounded HTTP Redirect Following

A denial-of-service vulnerability has been identified in the Fedify TypeScript library, specifically in versions prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1. The issue arises because the library's remote and authenticated document loaders follow HTTP redirects recursively without a maximum redirect limit or detection of visited URL loops. This flaw allows an attacker controlling a remote ActivityPub key or actor URL to exploit the server into making numerous outbound requests, consuming resources and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the server experiences increased CPU and bandwidth usage, and can exhaust connection slots. The issue arises from the document loader following attacker-controlled redirects, with a single request potentially triggering hundreds of outbound requests before timing out. Additionally, failed key fetches are not properly cached, allowing the same redirect loop to be exploited repeatedly.

Reproduction

The vulnerability can be reproduced by installing Fedify versions 1.9.1 or 1.9.2 and using a script that sends a request to an actor URL controlled by the attacker. The script should be set up to respond with a redirect that points back to itself, creating a loop. The Fedify document loader will follow the redirect, leading to repeated requests and resource exhaustion on the server.

Remediation

Users can upgrade to Fedify versions 1.9.6, 1.10.5, 2.0.8, or 2.1.1 to address this vulnerability.