Skip to main content

Mastodon

38 CVEs product

Monthly

CVE-2026-50129 HIGH PATCH This Week

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed `<math>` nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; CVSS is 7.5 with availability-only impact.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-50128 MEDIUM PATCH This Month

Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-48028 MEDIUM PATCH This Month

Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects low-complexity network exploitation with no authentication required; no public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-47389 HIGH PATCH This Week

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-46349 MEDIUM PATCH This Month

Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.

Jwt Attack Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-46348 HIGH PATCH This Week

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.

SSRF Mastodon
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-47777 HIGH PATCH This Week

Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-41259 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Information Disclosure Mastodon
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-33869 MEDIUM PATCH This Month

Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-27477 MEDIUM PATCH This Month

Mastodon servers with the experimental FASP feature enabled are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing unauthenticated attackers to register accounts with arbitrary base URLs that force the server to make requests to internal or local addresses. While attackers cannot control the full request path or view responses, this exposure of internal systems to external manipulation could facilitate reconnaissance or attacks on backend infrastructure. Affected versions are 4.4.0-4.4.13 and 4.5.0-4.5.6; a patch is available.

SSRF Mastodon
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-27468 HIGH PATCH This Week

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.

Denial Of Service Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-25540 MEDIUM This Month

Mastodon versions prior to 4.3.19, 4.4.13, and 4.5.6 are vulnerable to web cache poisoning in ActivityPub endpoints when AUTHORIZED_FETCH is enabled, allowing cached responses to be served across different user contexts regardless of request signing. An attacker could exploit this to view content intended for non-blocked accounts or cause blocked users to receive empty responses meant for them, potentially bypassing access controls. No patch is currently available for affected deployments.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23964 MEDIUM This Month

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23963 MEDIUM This Month

Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-23962 HIGH This Week

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 7.5 HIGH]

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23961 MEDIUM This Month

Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22246 MEDIUM PATCH This Month

Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.

Golang Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22245 HIGH PATCH This Week

Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.

SSRF Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-54879 MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-27399 MEDIUM PATCH This Month

Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-27157 MEDIUM PATCH This Month

Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-34535 MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-37903 HIGH PATCH This Week

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
8.2
EPSS
0.5%
CVE-2024-25623 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Mastodon
NVD GitHub
CVSS 3.1
7.7
EPSS
0.5%
CVE-2024-25619 MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-25618 HIGH POC PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass Microsoft Mastodon
NVD GitHub
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-23832 CRITICAL PATCH Act Now

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2023-42452 MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Mastodon
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-42451 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-42450 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-36462 MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-36461 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-36460 CRITICAL PATCH Act Now

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
9.9
EPSS
40.1%
CVE-2023-36459 MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Mastodon
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2023-28853 MEDIUM POC PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Code Injection LDAP Mastodon
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2022-46405 HIGH POC This Week

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mastodon
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-2166 CRITICAL PATCH Act Now

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-31263 MEDIUM PATCH This Month

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed `<math>` nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; CVSS is 7.5 with availability-only impact.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects low-complexity network exploitation with no authentication required; no public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.

Jwt Attack Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.

SSRF Mastodon
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Information Disclosure Mastodon
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Mastodon servers with the experimental FASP feature enabled are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing unauthenticated attackers to register accounts with arbitrary base URLs that force the server to make requests to internal or local addresses. While attackers cannot control the full request path or view responses, this exposure of internal systems to external manipulation could facilitate reconnaissance or attacks on backend infrastructure. Affected versions are 4.4.0-4.4.13 and 4.5.0-4.5.6; a patch is available.

SSRF Mastodon
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.

Denial Of Service Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Mastodon versions prior to 4.3.19, 4.4.13, and 4.5.6 are vulnerable to web cache poisoning in ActivityPub endpoints when AUTHORIZED_FETCH is enabled, allowing cached responses to be served across different user contexts regardless of request signing. An attacker could exploit this to view content intended for non-blocked accounts or cause blocked users to receive empty responses meant for them, potentially bypassing access controls. No patch is currently available for affected deployments.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.

Denial Of Service Mastodon
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 7.5 HIGH]

Denial Of Service Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.

Golang Mastodon
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.

SSRF Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Mastodon
NVD GitHub
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload Mastodon
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass Microsoft Mastodon
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Mastodon
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Mastodon
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Mastodon
NVD GitHub
EPSS 40% CVSS 9.9
CRITICAL PATCH Act Now

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Mastodon
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Code Injection LDAP +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mastodon
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Mastodon
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Mastodon
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy