Mastodon security vulnerabilities

Mastodon is an open-source social networking server based on ActivityPub. Mastodon has a security vulnerability, which stems from a logical error that allows old posts of suspended users to appear on the timeline. In certain versions, this suspension mechanism may be partially bypassed...

EUVD-2023-40424

Malicious code in bioql PyPI...

EUVD-2023-46897

Malicious code in bioql PyPI...

EUVD-2023-46898

Malicious code in bioql PyPI...

EUVD-2023-40421

Malicious code in bioql PyPI...

EUVD-2024-36876

Malicious code in bioql PyPI...

CVE-2025-54879 Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the...

CVE-2024-25619

Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue...

CVE-2024-9070

creationtimestamp| type| source ---|---|--- 2025-03-20 11:40:51+00:00| seen| https://bsky.app/profile/cyberalerts.bsky.social/post/3lksmhzifc524 2025-03-20 12:48:35+00:00| seen| https://mastodon.social/users/CyberSignaler/statuses/114194835990694470...

CVE-2024-9216

creationtimestamp| type| source ---|---|--- 2025-03-20 10:19:20+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/8184 2025-03-20 12:48:37+00:00| seen| https://mastodon.social/users/CyberSignaler/statuses/114194836111963368 2025-08-12 13:33:27+00:00| seen|...

CVE-2025-27399

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CVE-2025-27399

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CVE-2025-27157

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 a...

CVE-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CVE-2025-27399

Summary: Mastodon contains an access-control bug where, when domain blocks/reasons visibility is set to the English string “To logged-in users,” users not yet approved can view the block reasons. Affected versions: before 4.1.23, 4.2.16, and 4.3.4. Impact: instance admins who rely on private doma...

CVE-2025-27157 Mastodon's rate-limits are missing on `/auth/setup`

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 a...

CVE-2025-27157 Mastodon's rate-limits are missing on `/auth/setup`

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 a...

CVE-2024-12918

creationtimestamp| type| source ---|---|--- 2025-02-24 17:21:56+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/5189 2025-02-24 17:48:28+00:00| seen| https://mastodon.social/users/CyberSignaler/statuses/114060119765999360 2025-02-24 19:32:23+00:00| seen|...

CVE-2023-49952

Concerning CVE-2023-49952, multiple trusted sources confirm a vulnerability in Mastodon 4.1.x pre-4.1.17 and 4.2.x pre-4.2.9 that allows bypassing rate limiting via a crafted HTTP request header. The root cause is not detailed beyond the bypass of rate limiting; affected versions include Mastodon...

CVE-2023-49952

Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header...