Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable SSRF with low complexity and no auth/UI; scope changes to backend loopback services with limited read/write of internal resources, so S:C and C:L/I:L.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make Mastodon perform HTTP requests against loopback interfaces, potentially allowing access to otherwise private resources and services. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
AnalysisAI
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Mastodon to be induced to fetch an attacker-controlled URL - i.e., it depends on Mastodon's outbound HTTP fetch behavior (link-preview/oEmbed generation, remote media retrieval, or ActivityPub actor/object resolution) being reachable by the attacker, and on the target host actually running services on its loopback interface that are worth reaching. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:N/VI:H/VA:N, score 8.7 High) indicates a remotely reachable, low-complexity issue with no privileges or user interaction and a high integrity impact, while curiously rating confidentiality as none - a notable inconsistency given that SSRF to loopback is typically used to READ private resources, suggesting the VI:H/VC:N split may reflect the ability to drive state-changing requests against internal services rather than pure data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits or federates content containing a crafted URL whose host resolves to an address in the previously-unfiltered range; when Mastodon fetches it for a link preview, media, or actor resolution, the request lands on the server's loopback interface. The attacker thereby probes or interacts with internal-only services (admin endpoints, caches, metadata services) that are firewalled off from the public internet. … |
| Remediation | Upgrade to a fixed release on your branch: Vendor-released patch 4.5.10, 4.4.17, or 4.3.23 - apply whichever matches your deployed major version (per GHSA-crr4-7rm4-8gpw at https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Mastodon instances in your infrastructure and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math cont
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39053