cbcvebase.
CVE-2022-0432
published 2022-02-02

CVE-2022-0432: Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

PriorityP337medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.46%
90.3th percentile
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon< 3.5.03.5.0
mastodonmastodon_mastodon>= unspecified < 3.5.03.5.0

Detection & IOCsextracted from sources · hover to see the quote

url/embed.js
  • Send a GET request to /embed.js on the target Mastodon instance; a 200 response containing the string 'if (data.type !== \'setHeight\' || !iframes[data.id]) {' indicates a vulnerable (pre-3.5.0) version.
  • ·The nuclei template requires BOTH a HTTP 200 status code AND the presence of the vulnerable string in the response body (matchers-condition: and). A 200 without the string (e.g. patched 3.5.0+) will not trigger.
  • ·Vulnerability is present in mastodon/mastodon versions strictly prior to 3.5.0; patched in commit 4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.