All Fedify users should update to the latest patched versions. A ReDoS (Regular Expression Denial of Service) vulnerability (CVE-2025-68475) has been discovered in Fedify’s HTML parsing code that allows attackers to cause denial of service by sending specially crafted HTML responses.
This vulnerability affects all Fedify instances that fetch remote actors or objects from potentially untrusted federated servers. An attacker-controlled server can respond with a small (~170 bytes) malicious HTML payload that blocks the Node.js event loop for 14+ seconds, causing service unavailability.
The following versions contain the security fix: 1.6.13, 1.7.14, 1.8.15, and 1.9.2. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.
After updating, redeploy your application immediately. Please also inform other Fedify operators about this update to ensure the availability of the entire federation network.
Please update now and feel free to leave comments below if you have any questions.