{"schema_version":"1.7.5","id":"CVE-2025-68475","published":"2025-12-22T21:31:20.314Z","modified":"2026-04-02T13:05:31.187992Z","aliases":["GHSA-rchf-xwx2-hm93"],"summary":"Fedify has ReDoS Vulnerability in HTML Parsing Regex","details":"Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.","affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fedify-dev/fedify","events":[{"introduced":"0"},{"fixed":"6658a9cab3731449c0d71289d88d189c5161be9c"},{"fixed":"7955e17abfd5b208d6bd1666e41f942cb9103a8b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.13"},{"introduced":"1.8.0"},{"fixed":"1.8.15"}]}},{"type":"GIT","repo":"https://github.com/fedify-dev/fedify","events":[{"introduced":"15cd79ad03562832c4e86802d6f617df679bc27e"},{"fixed":"c6d7e743c995c9fa84d74f94952eb0dfc6cb7bab"}],"database_specific":{"versions":[{"introduced":"1.7.0"},{"fixed":"1.7.14"}]}},{"type":"GIT","repo":"https://github.com/fedify-dev/fedify","events":[{"introduced":"d4ce275d7fc25eef539b0e9d5bd7a527ec949edb"},{"fixed":"3114e4add0df8494a6cc6803593fb02e69135bc5"}],"database_specific":{"versions":[{"introduced":"1.9.0"},{"fixed":"1.9.2"}]}}],"versions":["0.1.0","0.10.0","0.10.1","0.10.2","0.11.0","0.11.1","0.11.2","0.11.3","0.12.0","0.12.1","0.12.2","0.12.3","0.13.0","0.13.1","0.13.2","0.13.3","0.13.4","0.13.5","0.14.0","0.14.1","0.14.2","0.14.3","0.14.4","0.14.5","0.15.0","0.15.1","0.15.2","0.15.3","0.15.4","0.15.5","0.15.6","0.15.7","0.15.8","0.15.9","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","0.7.0","0.8.0","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.2","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.3","1.0.30","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.1.1","1.1.10","1.1.11","1.1.12","1.1.13","1.1.14","1.1.15","1.1.16","1.1.17","1.1.18","1.1.19","1.1.2","1.1.20","1.1.21","1.1.22","1.1.23","1.1.24","1.1.25","1.1.26","1.1.27","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.2.0","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.26","1.2.27","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.14","1.3.15","1.3.16","1.3.17","1.3.18","1.3.19","1.3.2","1.3.20","1.3.21","1.3.22","1.3.23","1.3.24","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.1","1.6.10","1.6.11","1.6.12","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.7.10","1.7.11","1.7.12","1.7.13","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.9.0","1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68475.json"}}],"references":[{"type":"WEB","url":"https://github.com/fedify-dev/fedify/releases/tag/1.6.13"},{"type":"WEB","url":"https://github.com/fedify-dev/fedify/releases/tag/1.7.14"},{"type":"WEB","url":"https://github.com/fedify-dev/fedify/releases/tag/1.8.15"},{"type":"WEB","url":"https://github.com/fedify-dev/fedify/releases/tag/1.9.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68475.json"},{"type":"ADVISORY","url":"https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68475"},{"type":"FIX","url":"https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"},{"type":"FIX","url":"https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"}],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1333"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68475.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}