cbcvebase.

Joinmastodon Mastodon vulnerabilities

42 known vulnerabilities affecting joinmastodon/mastodon.

Total CVEs
42
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH13MEDIUM22LOW2

Vulnerabilities

Page 1 of 3
CVE-2023-36460P2CRITICALCVSS 9.9≥ 3.5.0, < 3.5.9≥ 4.0.0, < 4.0.5+1 more2023-07-06
CVE-2023-36460 [CRITICAL] CWE-22 CVE-2023-36460: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5. Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has a
nvd
CVE-2024-23832P2CRITICALCVSS 9.8fixed in 3.5.17≥ 4.0.0, < 4.0.13+2 more2024-02-01
CVE-2024-23832 [CRITICAL] CWE-290 CVE-2024-23832: Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configura Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.
nvd
CVE-2026-33868P3MEDIUMCVSS 6.1PoCfixed in 4.3.21≥ 4.4.0, < 4.4.15+1 more2026-03-27
CVE-2026-33868 [MEDIUM] CWE-601 CVE-2026-33868: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect use
nvd
CVE-2022-0432P3MEDIUMCVSS 6.1PoCfixed in 3.5.02022-02-02
CVE-2022-0432 [MEDIUM] CWE-1321 CVE-2022-0432: Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
nvd
CVE-2022-24307P3CRITICALCVSS 9.8fixed in 3.3.2≥ 3.4.0, < 3.4.62022-02-03
CVE-2022-24307 [CRITICAL] CWE-863 CVE-2022-24307: Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compac Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
nvd
CVE-2024-37903P3HIGHCVSS 8.2≥ 2.6.0, < 4.1.18≥ 4.2.0, < 4.2.102024-07-05
CVE-2024-37903 [HIGH] CWE-862 CVE-2024-37903: Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 an
nvd
CVE-2024-25623P3HIGHCVSS 7.7fixed in 3.5.19≥ 4.0.0, < 4.0.15+2 more2024-02-19
CVE-2024-25623 [HIGH] CWE-434 CVE-2024-25623: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity St
nvd
CVE-2025-54879P3HIGHCVSS 7.5≥ 3.1.5, < 4.2.24≥ 4.3.0, < 4.3.11+1 more2025-08-06
CVE-2025-54879 [HIGH] CWE-770 CVE-2025-54879: Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitate Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectl
nvd
CVE-2024-25618P3HIGHCVSS 7.4fixed in 3.5.18≥ 4.0.0, < 4.0.14+2 more2024-02-14
CVE-2024-25618 [HIGH] CWE-287 CVE-2024-25618: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new iden Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple a
nvd
CVE-2026-27468P3HIGHCVSS 8.2≥ 4.4.0, < 4.4.14≥ 4.5.0, < 4.5.72026-02-24
CVE-2026-27468 [HIGH] CWE-862 CVE-2026-27468: Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requir Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually ap
nvd
CVE-2023-42450P3HIGHCVSS 7.5v4.2.02023-09-19
CVE-2023-42450 [HIGH] CWE-113 CVE-2023-42450: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2. Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDR
nvd
CVE-2026-22245P3HIGHCVSS 7.5fixed in 4.2.29≥ 4.3.0, < 4.3.17+2 more2026-01-08
CVE-2026-22245 [HIGH] CWE-918 CVE-2026-22245: Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon perf Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of d
nvd
CVE-2018-21018P3CRITICALCVSS 9.8fixed in 2.6.32019-09-22
CVE-2018-21018 [CRITICAL] CWE-613 CVE-2018-21018: Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
nvd
CVE-2022-2166P3CRITICALCVSS 9.8≤ 3.5.5v4.0.02022-11-16
CVE-2022-2166 [CRITICAL] CWE-307 CVE-2022-2166: Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon pri Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
nvd
CVE-2026-23962P3HIGHCVSS 7.5fixed in 4.3.18≥ 4.4.0, < 4.4.12+1 more2026-01-22
CVE-2026-23962 [HIGH] CWE-770 CVE-2026-23962: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll op
nvd
CVE-2023-42451P3HIGHCVSS 7.5fixed in 3.5.14≥ 4.0.0, < 4.0.10+2 more2023-09-19
CVE-2023-42451 [HIGH] CWE-706 CVE-2023-42451: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14 Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
nvd
CVE-2023-49952P3HIGHCVSS 7.5≥ 4.1.0, < 4.1.17≥ 4.2.0, < 4.2.92024-11-18
CVE-2023-49952 [HIGH] CWE-79 CVE-2023-49952: Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted H Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
nvd
CVE-2026-41259P3HIGHCVSS 7.5fixed in 4.3.22≥ 4.4.0, < 4.4.16+1 more2026-04-23
CVE-2026-41259 [HIGH] CWE-841 CVE-2026-41259: Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16 Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is
nvd
CVE-2023-28853P3MEDIUMCVSS 6.5≥ 2.5.0, < 3.5.8≥ 4.0.0, < 4.0.4+1 more2023-04-04
CVE-2023-28853 [MEDIUM] CWE-90 CVE-2023-28853: Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configura Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. T
nvd
CVE-2023-36461P3HIGHCVSS 7.5fixed in 3.5.9≥ 4.0.0, < 4.0.5+1 more2023-07-06
CVE-2023-36461 [HIGH] CWE-770 CVE-2023-36461: Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to ke
nvd
Joinmastodon Mastodon vulnerabilities | cvebase