Fix ReDoS vulnerability in HTML parsing (CVE-2025-68475)
The document loader's HTML parsing regex contained nested quantifiers that caused catastrophic backtracking when processing maliciously crafted HTML responses. An attacker-controlled server could respond with a small (~170 bytes) payload that blocked the event loop for 14+ seconds. Changes: - Replace vulnerable regex with safe patterns without nested quantifiers - Add 1MB HTML response size limit as additional mitigation - Add regression test for ReDoS resistance - Pin Deno version to 2.4.5 in CI workflow https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 Co-Authored-By:Claude <noreply@anthropic.com>
Loading
Please register or sign in to comment