CVE-2026-42462

Description

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Affected products

fedify-dev / fedify>= 2.2.0, < 2.2.3 – >= 2.2.0, < 2.2.3
fedify-dev / fedify>= 2.1.0, < 2.1.14 – >= 2.1.0, < 2.1.14
fedify-dev / fedify>= 2.0.0, < 2.0.18 – >= 2.0.0, < 2.0.18
fedify-dev / fedify>= 1.10.0, < 1.10.10 – >= 1.10.0, < 1.10.10
fedify-dev / fedify< 1.9.11 – < 1.9.11

References

VENDOR_ADVISORYhttps://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367
PATCHhttps://github.com/fedify-dev/fedify/releases/tag/2.2.3