CVE-2026-42462
HighCVSS 7.0Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Fedify, a TypeScript library for building federated server apps powered by ActivityPub, has a vulnerability that allows an attacker to use JSON-LD features to restructure a JSON-LD document. This restructuring changes how Fedify interprets the document without altering its Linked Data Signature.
Risk Assessment
An attacker can modify third-party signed activities, potentially leading to unauthorized actions in applications using Fedify. This poses a serious threat to data integrity and trust in the system.
Recommendation
It is recommended to upgrade to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, or 2.2.3, which fix this vulnerability. Regular monitoring and updating of components is crucial for maintaining application security.
Original NVD description (English source)
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.

