BotKit security updates: 0.3.3 and 0.4.2 #22
dahlia
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
If you use BotKit, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and BotKit inherits the exposure through its dependency on Fedify.
The vulnerability allows an attacker to use JSON-LD graph-restructuring features—specifically
@graph,@included, and@reverse—to reshape a signed ActivityPub activity without invalidating its Linked Data Signature. This can cause BotKit (via Fedify) to interpret a different ActivityPub object shape than was originally signed. The fix normalizes Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects the JSON-LD constructs that enable the attack.All versions of BotKit up to 0.3.2 (in the 0.3.x branch) and 0.4.1 (in the 0.4.x branch) are affected. Patched releases are 0.3.3 and 0.4.2.
For BotKit 0.4.x, update
@fedify/botkit:For BotKit 0.3.x, update
@fedify/botkit:If you use other BotKit-related packages (e.g.,
@fedify/botkit-postgres), update them as well. After updating, redeploy.The CVE ID is CVE-2026-42462. See also fedify-dev/fedify#773 for Fedify's own announcement.
Thanks to @ClearlyClaire for the report and responsible disclosure.
If anything is unclear, feel free to ask on GitHub Discussions or Matrix.
Beta Was this translation helpful? Give feedback.
All reactions