PT-2026-52079 · Mastodon · Mastodon

Publicado

2026-06-24

Atualizado

2026-06-24

CVE-2026-47389

CVSS v3.1

8.6

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Correção

Incomplete List of Disallowed Inputs

SSRF

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-184CWE-918CWE-200

Identificadores relacionados

CVE-2026-47389

Produtos afetados

Mastodon

PT-2026-52079 · Mastodon · Mastodon

CVE-2026-47389

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 2