CVE-2025-68475: Fedify has ReDoS Vulnerability in HTML Parsing Regex
(updated )
A Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify’s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses.
An attacker-controlled federated server can respond with a small (~170 bytes) malicious HTML payload that blocks the victim’s Node.js event loop for 14+ seconds, causing a Denial of Service.
| Field | Value |
|---|---|
| CWE | CWE-1333 (Inefficient Regular Expression Complexity) |
References
- github.com/advisories/GHSA-rchf-xwx2-hm93
- github.com/fedify-dev/fedify
- github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779
- github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a
- github.com/fedify-dev/fedify/releases/tag/1.6.13
- github.com/fedify-dev/fedify/releases/tag/1.7.14
- github.com/fedify-dev/fedify/releases/tag/1.8.15
- github.com/fedify-dev/fedify/releases/tag/1.9.2
- github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93
- nvd.nist.gov/vuln/detail/CVE-2025-68475
Code Behaviors & Features
Detect and mitigate CVE-2025-68475 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →