Mastodon
Monthly
Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed `<math>` nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; CVSS is 7.5 with availability-only impact.
Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.
Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects low-complexity network exploitation with no authentication required; no public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.
Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.
Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.
Mastodon servers with the experimental FASP feature enabled are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing unauthenticated attackers to register accounts with arbitrary base URLs that force the server to make requests to internal or local addresses. While attackers cannot control the full request path or view responses, this exposure of internal systems to external manipulation could facilitate reconnaissance or attacks on backend infrastructure. Affected versions are 4.4.0-4.4.13 and 4.5.0-4.5.6; a patch is available.
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.
Mastodon versions prior to 4.3.19, 4.4.13, and 4.5.6 are vulnerable to web cache poisoning in ActivityPub endpoints when AUTHORIZED_FETCH is enabled, allowing cached responses to be served across different user contexts regardless of request signing. An attacker could exploit this to view content intended for non-blocked accounts or cause blocked users to receive empty responses meant for them, potentially bypassing access controls. No patch is currently available for affected deployments.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]
Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 7.5 HIGH]
Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.
Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.
Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed `<math>` nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; CVSS is 7.5 with availability-only impact.
Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.
Linked-Data Signature normalization in Mastodon allows unauthenticated remote attackers to remove JSON entries from valid signed ActivityPub activities, effectively spoofing or distorting federated content attributed to legitimate third-party actors. All Mastodon instances prior to versions 4.5.10, 4.4.17, and 4.3.23 are affected across all maintained release branches. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects low-complexity network exploitation with no authentication required; no public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.
Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.
Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.
Mastodon servers with the experimental FASP feature enabled are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing unauthenticated attackers to register accounts with arbitrary base URLs that force the server to make requests to internal or local addresses. While attackers cannot control the full request path or view responses, this exposure of internal systems to external manipulation could facilitate reconnaissance or attacks on backend infrastructure. Affected versions are 4.4.0-4.4.13 and 4.5.0-4.5.6; a patch is available.
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.
Mastodon versions prior to 4.3.19, 4.4.13, and 4.5.6 are vulnerable to web cache poisoning in ActivityPub endpoints when AUTHORIZED_FETCH is enabled, allowing cached responses to be served across different user contexts regardless of request signing. An attacker could exploit this to view content intended for non-blocked accounts or cause blocked users to receive empty responses meant for them, potentially bypassing access controls. No patch is currently available for affected deployments.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]
Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 7.5 HIGH]
Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.
Mastodon versions prior to 4.3.17, 4.4.11, and 4.5.4 fail to validate ownership when retrieving severed relationship lists, allowing any authenticated user to enumerate all lost followers and followed accounts across all severance events. This information disclosure vulnerability affects multi-user Mastodon instances where relationship changes due to moderation actions are visible to unauthorized users. An attacker with a local account can systematically access relationship data they should not have permission to view.
Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Mastodon is a self-hosted, federated microblogging platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Mastodon is a free, open-source social network server based on ActivityPub. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.