Mastodon vulnerability allows impersonation of remote server accounts
CVE-2024-25623

7.7HIGH

Key Information:

Vendor: mastodon
Status: mastodon
Vendor: CVE Published:; 19 February 2024

What is CVE-2024-25623?

Mastodon, an open-source social networking server built on the ActivityPub protocol, contains a vulnerability that arises when fetching remote statuses from other servers. Before the release of versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, the server fails to validate the 'Content-Type' header in responses from remote servers. This oversight allows threat actors to upload maliciously crafted Activity Streams documents to a remote server. If certain conditions are met—such as the remote server permitting user registrations and uploads—attackers could exploit the vulnerability to impersonate other accounts. The affected versions have been patched to address this issue, highlighting the importance of keeping software up to date.

Affected Version(s)

mastodon < 3.5.19 < 3.5.19

mastodon >= 4.0.0, < 4.0.15 < 4.0.0, 4.0.15

mastodon >= 4.1.0, < 4.1.15 < 4.1.0, 4.1.15

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/9fee5e852669e...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2024
Vulnerability Reserved
Feb 8, 2024

JSON