Home | Notifications | New Note | Local | Federated | Search | Logout
Fedify: ActivityPub server framework@fedify@hollo.social
:fedify: Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards, so-called fediverse. It aims to eliminate the complexity and redundant boilerplate code when building a federated server app, so that you can focus on your business logic and user experience.
Website: https://fedify.dev/
GitHub: https://github.com/fedify-dev/fedify
JSR: https://jsr.io/@fedify/fedify
npm: https://www.npmjs.com/package/@fedify/fedify
Joined: 2026-05-11 00:48:56
3 notes, 0 following, 0 followers
Fedify: ActivityPub server framework@fedify@hollo.social (2026-06-06 22:50:16)
There's a Matrix room for #Fedify contributors, open to anyone curious about how development happens. Feel free to drop in or lurk; small questions are fine too.
#fedify-contributors:matrix.org
Fedify: ActivityPub server framework@fedify@hollo.social (2026-05-21 02:35:44)
Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3
If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.
Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.
The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.
Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.
Update @fedify/fedify:
npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify
After updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to @Claire for the report and responsible disclosure.
If anything is unclear, ask below.
Fedify: ActivityPub server framework@fedify@hollo.social (2026-05-10 23:13:33)
Fedify security updates: 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1
If you use Fedify, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass validatePublicUrl() even though they refer to private or loopback addresses.
Fedify uses validatePublicUrl() when fetching remote ActivityPub documents and related resources. An attacker who can make a Fedify server fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF risk.
All versions up to and including 2.2.0 are affected. Patched releases are 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1.
For Fedify 1.x, update @fedify/fedify:
npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify
For Fedify 2.x, update both @fedify/fedify and @fedify/vocab-runtime:
npm update @fedify/fedify @fedify/vocab-runtime
yarn upgrade @fedify/fedify @fedify/vocab-runtime
pnpm update @fedify/fedify @fedify/vocab-runtime
bun update @fedify/fedify @fedify/vocab-runtime
deno update @fedify/fedify @fedify/vocab-runtime
After updating, redeploy. If you run other Fedify-based servers, update those too.
Thanks to Changkyun Kim (@me) for the report and responsible disclosure.
If anything is unclear, ask below.