Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Federation network delivery requires no victim-side auth (AV:N/PR:N/AC:L); impact limited to low integrity spoofing and minor availability disruption; no confidentiality breach.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
AnalysisAI
Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Mastodon instance has federation enabled and is configured to accept activities from external ActivityPub servers, which is the default configuration for all public Mastodon deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L accurately characterizes this as a remotely exploitable, low-complexity flaw requiring no authentication and no user interaction, yielding limited integrity and marginal availability impact with no confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a rogue ActivityPub server intercepts or independently relays a legitimately signed activity from a trusted third-party Mastodon actor, stripping specific JSON-LD entries from the payload before forwarding it to the target instance. The target Mastodon server's normalization process accepts the manipulated activity as cryptographically valid because the LD-Signature check passes despite the removed entries, causing the instance to process spoofed or distorted content - such as altered post bodies or manipulated relationship events - as if originating from the legitimate actor. … |
| Remediation | Vendor-released patches are available: upgrade to Mastodon 4.5.10, 4.4.17, or 4.3.23 depending on the currently deployed release branch, as confirmed by the vendor advisory at https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39056