JSON-LD Restructuring Vulnerability in Fedify Library by Fedify
CVE-2026-42462

7HIGH

Key Information:

Vendor

Fedify-dev

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-42462?

The Fedify library, a TypeScript tool for creating federated server applications, is vulnerable to an issue involving JSON-LD processing. Attackers may exploit specific features of JSON-LD to modify the structure of a document without altering its Linked Data Signature. This manipulation can lead to the unauthorized alteration of third-party signed activities. Vulnerable versions include 1.9.10, 1.10.9, 2.0.17, 2.1.13, and 2.2.2. Users are advised to upgrade to fixed versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, or 2.2.3 to mitigate this issue.

Affected Version(s)

fedify >= 2.2.0, < 2.2.3 < 2.2.0, 2.2.3

fedify >= 2.1.0, < 2.1.14 < 2.1.0, 2.1.14

fedify >= 2.0.0, < 2.0.18 < 2.0.0, 2.0.18

References

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.