BIT-MASTODON-2023-49952

Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header...

CVE-2025-27157

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 a...

CVE-2022-2166

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0...

CVE-2022-0432

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0...

PT-2024-25955 · Mastodon · Mastodon

Name of the Vulnerable Software and Affected Versions: Mastodon version 4.1.6 Description: The issue allows API endpoint rate limiting to be bypassed by setting a crafted HTTP request header. Recommendations: For Mastodon version 4.1.6, as a temporary workaround, consider restricting access to AP...

BIT-MASTODON-2022-0432 Prototype Pollution in mastodon/mastodon

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0...

CVE-2022-2166 Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0...