DigiNews

Summary

A personal analysis of a May 2026 vulnerability in Fediverse software involving ld-signatures in ActivityPub. The post explains how a misalignment between RDF triples and JSON-LD processing can allow an attacker to influence signed objects, and notes that Mastodon and other fediverse projects should patch. It covers the root cause, discusses mitigation strategies such as rejecting certain JSON-LD constructs (@included, @graph, @reverse) and the broader critique of JSON-LD usage in decentralized ecosystems, as well as the involvement of Doyensec and Anthropic in reporting the issue.