Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Unauthenticated network-triggered outbound fetch (PR:N/UI:N/AV:N/AC:L) crosses a trust boundary to internal services (S:C) exposing data (C:H); no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
AnalysisAI
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target Mastodon instance to be running on a Ruby interpreter older than 3.4 - instances on Ruby 3.4+ are not affected; (2) the attacker to control authoritative DNS for a hostname and publish an AAAA record encoding an IPv4-mapped IPv6 address (::ffff:a.b.c.d) such as ::ffff:127.0.0.1 or ::ffff:169.254.169.254; and (3) a code path that causes Mastodon to perform an outbound HTTP fetch against that hostname (link preview, remote actor/object resolution, media or webfinger lookup). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, 8.6) indicates network-reachable, low-complexity, unauthenticated exploitation with a scope change and high confidentiality impact - consistent with classic SSRF reaching a cloud-metadata service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain, points an AAAA record at ::ffff:169.254.169.254, and gets a Mastodon instance to fetch a URL on that hostname (for example by submitting it as a link, remote profile, or object reference so the server generates a preview or resolves it). Because the private-address check passes the mapped address, the server opens a connection to the cloud metadata service and returns or processes the response, potentially leaking IAM credentials or internal service data. … |
| Remediation | Vendor-released patch: upgrade to Mastodon 4.5.10, 4.4.17, or 4.3.23 (whichever matches your branch), per advisory GHSA-xx55-4rrg-8xg6 (https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Mastodon instances and identify versions running before 4.5.10, 4.4.17, or 4.3.23. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math cont
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39055