Joinmastodon: >> Mastodon >> 1.0 Security Vulnerabilities
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
CVSS Score
9.4
EPSS Score
0.016
Published
2024-02-01
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
CVSS Score
7.4
EPSS Score
0.003
Published
2023-09-19
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-07-06
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
CVSS Score
7.5
EPSS Score
0.007
Published
2022-12-04
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVSS Score
9.8
EPSS Score
0.016
Published
2022-11-16
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-24
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
CVSS Score
9.8
EPSS Score
0.004
Published
2022-02-03
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
CVSS Score
7.4
EPSS Score
0.281
Published
2022-02-02
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVSS Score
9.8
EPSS Score
0.016
Published
2019-09-22
Page 2