CVE-2026-42462

CVE-2026-42462 is a high-severity security vulnerability in @fedify/fedify (npm), affecting versions >= 2.2.0, < 2.2.3. It is fixed in 2.2.3, 2.1.14, 2.0.18, 1.10.10, 1.9.11.

Summary

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet.

An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received.

Details

The vulnerability essentially boils down to the signature being on the canonical RDF graph representation of the JSON-LD document, and JSON-LD offering many ways to represent the same graph.

One of the issues is that by taking a signed Activity with an embedded object, an attacker can move the top-level Activity to a @graph property and move the activity's object to the top-level. Such a transformation preserves the signature and changes how the payload is interpreted by pretty much all ActivityPub implementations, making them process the object and ignore the formely-top-level activity. This can be used when the graph contains an embedded activity. In Mastodon, that is the case of { "type": "Undo", "object": { "type": "Announce" } }, but other implementations may sign other activities that can be exploited in the same way.

The @reverse keyword can also be used to change the shape of a JSON-LD document without changing the underlying graph, and could be used in a similar way to reverse an Activity and its object.

Another problematic feature is @included, which can be used to “move” properties outside of the normal tree, effectively making them invisible to most ActivityPub implementations, while, again, preserving the signature. This allows removing statuses or actor properties once a signed Create or Update activity is received.

Given that we have seen no use of @graph, @included or @reverse in ActivityPub payloads and that they are very complex to handle correctly (the only JSON-LD API functions that “normalize” @included and @reverse are flattening and framing, which both lose the root node), we have decided to reject them, and recommend you do so as well.

Detection of @graph, @included and @reverse should happen after compacting the incoming activity to your context, as aliases can be used for those keywords.

Additionally, after a quick scan of Fedify's source code, I could not verify that JSON-LD documents with a verified Linked Data Signature were compacted against your local JSON-LD context. Not doing that allows an attacker to rename aliases to non-standard names and use non-mapped aliases to replace existing values, while still leaving the signature intact. This allows an attacker to essentially replace arbitrary portions of any signed JSON-LD document and completely forge any activity while still passing verification. A similar issue was fixed in Mastodon a few years ago: https://github.com/mastodon/mastodon/pull/17426.

Impact

The impact is difficult to assess as this depends on the types of activities that are actually signed and processed in the wild.

The @included keyword allows “removing” arbitrary attributes, thus allowing replaying Create and Update activities while stripping away any attribute, such as content or metadata, which can lead to integrity and availability issues, although confidentiality issues are unlikely.

The @graph and @reverse keywords allow changing the root activity, which in the case of Mastodon allows sending an Announce from a Undo { Announce }, but might have wider consequences depending on what various servers sign.

The lack of compacting can allow rewriting any activity arbitrarily, thus leading to major integrity, availability, and possibly confidentiality issues (e.g. by replacing an actor's inbox).

CVE-2026-42462 has a CVSS score of 7.0 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.2.3, 2.1.14, 2.0.18, 1.10.10, 1.9.11); upgrading removes the vulnerable code path.

Affected versions

@fedify/fedify (>= 2.2.0, < 2.2.3) @fedify/fedify (>= 2.1.0, < 2.1.14) @fedify/fedify (>= 2.0.0, < 2.0.18) @fedify/fedify (>= 1.10.0, < 1.10.10) @fedify/fedify (< 1.9.11)

Security releases

@fedify/fedify → 2.2.3 (npm) @fedify/fedify → 2.1.14 (npm) @fedify/fedify → 2.0.18 (npm) @fedify/fedify → 1.10.10 (npm) @fedify/fedify → 1.9.11 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

@fedify/fedify to 2.2.3 or later; @fedify/fedify to 2.1.14 or later; @fedify/fedify to 2.0.18 or later; @fedify/fedify to 1.10.10 or later; @fedify/fedify to 1.9.11 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42462? CVE-2026-42462 is a high-severity security vulnerability in @fedify/fedify (npm), affecting versions >= 2.2.0, < 2.2.3. It is fixed in 2.2.3, 2.1.14, 2.0.18, 1.10.10, 1.9.11.
  2. How severe is CVE-2026-42462? CVE-2026-42462 has a CVSS score of 7.0 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @fedify/fedify are affected by CVE-2026-42462? @fedify/fedify (npm) versions >= 2.2.0, < 2.2.3 is affected.
  4. Is there a fix for CVE-2026-42462? Yes. CVE-2026-42462 is fixed in 2.2.3, 2.1.14, 2.0.18, 1.10.10, 1.9.11. Upgrade to this version or later.
  5. Is CVE-2026-42462 exploitable, and should I be worried? Whether CVE-2026-42462 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42462 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42462?
    • Upgrade @fedify/fedify to 2.2.3 or later
    • Upgrade @fedify/fedify to 2.1.14 or later
    • Upgrade @fedify/fedify to 2.0.18 or later
    • Upgrade @fedify/fedify to 1.10.10 or later
    • Upgrade @fedify/fedify to 1.9.11 or later

Other vulnerabilities in @fedify/fedify

CVE-2026-42462CVE-2025-68475CVE-2025-54888CVE-2025-23221CVE-2024-39687

Stop the waste.
Protect your environment with Kodem.