Mastodon Security Vulnerabilities and Issues — Mastodon CVE List

Lucene search

JoinmastodonMastodon

24 matches found

CVE•added 2023/07/06 7:15 p.m.•163 views

CVE-2023-36460

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attack...

9.9CVSS9.7AI score0.34243EPSS

CVE•added 2019/09/22 3:15 p.m.•104 views

CVE-2018-21018

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.

9.8CVSS9.4AI score0.01641EPSS

CVE•added 2022/02/02 10:15 p.m.•68 views

CVE-2022-0432

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

7.4CVSS6.4AI score0.30275EPSS

CVE•added 2024/07/05 6:15 p.m.•67 views

CVE-2024-37903

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the conte...

8.2CVSS8.1AI score0.001EPSS

CVE•added 2024/10/03 6:15 p.m.•65 views

CVE-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.

5.9CVSS6.5AI score0.00188EPSS

CVE•added 2022/05/24 4:15 a.m.•64 views

CVE-2022-31263

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

5.3CVSS5.3AI score0.00224EPSS

CVE•added 2024/02/14 9:15 p.m.•62 views

CVE-2024-25619

Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listeni...

4.3CVSS4.1AI score0.0028EPSS

CVE•added 2022/11/16 1:15 a.m.•56 views

CVE-2022-2166

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.

9.8CVSS9.7AI score0.00743EPSS

CVE•added 2025/02/27 6:15 p.m.•55 views

CVE-2025-27399

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins ...

5.3CVSS5.3AI score0.00053EPSS

CVE•added 2022/12/04 4:15 a.m.•46 views

CVE-2022-46405

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated message...

7.5CVSS7.3AI score0.00171EPSS

CVE•added 2023/03/06 2:15 p.m.•46 views

CVE-2022-48364

The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive...

4.3CVSS4.5AI score0.00075EPSS

CVE•added 2023/07/06 7:15 p.m.•43 views

CVE-2023-36459

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview card...

9.3CVSS7.2AI score0.00165EPSS

CVE•added 2023/09/19 4:15 p.m.•42 views

CVE-2023-42452

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to exe...

6.1CVSS5.9AI score0.00476EPSS

CVE•added 2024/02/19 4:15 p.m.•42 views

CVE-2024-25623

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which a...

8.5CVSS7.9AI score0.0013EPSS

CVE•added 2024/02/01 5:15 p.m.•40 views

CVE-2024-23832

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerabl...

9.8CVSS9.4AI score0.01264EPSS

CVE•added 2024/11/18 6:15 p.m.•39 views

CVE-2023-49952

Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.

7.5CVSS6.6AI score0.00061EPSS

CVE•added 2023/07/06 7:15 p.m.•37 views

CVE-2023-36461

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowlo...

7.5CVSS7.5AI score0.00163EPSS

CVE•added 2023/09/19 4:15 p.m.•36 views

CVE-2023-42450

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if t...

7.5CVSS6.4AI score0.0028EPSS

CVE•added 2022/02/03 8:15 p.m.•34 views

CVE-2022-24307

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

9.8CVSS9.5AI score0.00348EPSS

CVE•added 2025/02/27 5:15 p.m.•34 views

CVE-2025-27157

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and...

5.3CVSS5.3AI score0.00077EPSS

CVE•added 2023/09/19 4:15 p.m.•32 views

CVE-2023-42451

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 ...

7.5CVSS7.3AI score0.00174EPSS

CVE•added 2023/04/04 10:15 p.m.•30 views

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection atta...

7.7CVSS6.8AI score0.00433EPSS

CVE•added 2023/07/06 8:15 p.m.•27 views

CVE-2023-36462

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a dif...

5.4CVSS5.8AI score0.01525EPSS

CVE•added 2024/02/14 9:15 p.m.•27 views

CVE-2024-25618

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication pro...

7.4CVSS4.4AI score0.00301EPSS