Shared by: ### Security Update: Hollo 0.6…

@hollo@hollo.social

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

Field	Details
CVE	CVE-2025-68475
Severity	High (CVSS 7.5)
Action	Upgrade to Hollo 0.6.19

#Hollo #Security #Fediverse #ActivityPub

github.com

ReDoS Vulnerability in HTML Parsing Regex

Hi Fedify team! 👋 Thank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Servic...

8 shares

fedicat
@fedicat@pc.cafe
The official account for the Fedicat fediverse iOS client available on TestFlight. I try to include other fediverse stuff to keep it interesting.
The Ignorant Savage
@TheIgnorantSavage@mastodon.social
Technical Discussion
@technical-discussion@activitypub.space
Technical discussion about ActivityPub-related topics.
Matthew
@picard@mas.to
Gaming (on linux), science, history, learning Ukrainian
Header image: Red Viburnum by #LyubovPanchenko. I wrote a bit about her here (including a description for this piece): https://mas.to/@picard/109762715944064107
Avatar: Bucha Spring by #LyubovPanchenko. Read more (including a description) here: https://mas.to/@picard/109920251214826351
Ulf Rompe
@rompe@mastodon.social
Ich bin eigentlich ganz nett.
I tend to write in #German because that's what I know best, but I will happily chat in broken #English, too.
I also understand some words in #French, #Spanish and #Italian. Just comment in any language and we'll find a way to communicate.
I like good #food, #cooking and #baking.
소금🧂
@tun_able@daepi.so
서기 2026년의 모든 사람은 앨라이이자 페미니스트가 될 의무가 있다고 생각하는 사람.
봄별 はるぼし🌟 (Haruboshi)
@Rina@uri.life
성인 30+ / 잡덕 겸 일상러 + 취미로 코딩 조금씩 하는 사람 / 평일엔 현생으로 바쁨 / 한국어, English, 日本語少し
인스턴스 '청춘:플레이스' (https://aoharu.place) 및 인스턴스 '추억:사진'(https://chueok.pics)의 관리자.
⚠️팔로우하시기 전에 링크의 계정 안내문을 반드시 읽어주세요: https://bombyeol.me/social/
→ https://vrc.bombyeol.me / → @haruboshi / → @haruboshi / X() → https://x.com/deepsky182_haru
프로필 사진 : X() minami_don (https://picrew.me/ko/image_maker/2737227)
洪民憙 (Hong Minhee)
@hongminhee@hollo.social
An intersectionalist, feminist, and socialist living in Seoul (UTC+09:00). @tokolovesme's spouse. Who's behind @fedify, @hollo, and @botkit. Write some free software in #TypeScript, #Haskell, #Rust, & #Python. They/them.
서울에 사는 交叉女性主義者이자 社會主義者. 金剛兔(@tokolovesme)의 配偶者. @fedify, @hollo, @botkit 메인테이너. #TypeScript, #Haskell, #Rust, #Python 等으로 自由 소프트웨어 만듦.
#國漢文混用體 #한국어 (#朝鮮語) #English #日本語