Joinmastodon: >> Mastodon >> 4.2.8 Security Vulnerabilities
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-02-27
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-02-27
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-11-18
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
CVSS Score
5.9
EPSS Score
0.002
Published
2024-10-03
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
CVSS Score
8.2
EPSS Score
0.001
Published
2024-07-05