Fedify security updates: 1.9.7, 1.10.6, 2.0.10, and 2.1.3

If you use Fedify, update to a patched release now. A high-severity denial-of-service vulnerability (CVE-2026-34148) affects Fedify's remote document loader and authenticated document loader. Both follow HTTP redirects without a redirect limit or loop detection. An attacker-controlled server can return a redirect loop for a keyId or actor URL fetch, causing a single inbound ActivityPub request to keep issuing outbound requests until the fetch times out.

All versions up to and including 2.1.0 are affected. Patched releases are 1.9.7, 1.10.6, 2.0.10, and 2.1.3. Update with your package manager:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Abhinav Jaswal for the report and responsible disclosure. Disclosure was coordinated with Ghost so they had time to ship their update.

If anything is unclear, ask below.