CVE-2022-0432

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

CVE-2022-31263

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

CVE-2022-2166

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.

CVE-2022-46405

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated message...

CVE-2022-24307

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)