CVE-2022-46405

Name of the Vulnerable Software and Affected Versions Mastodon versions through 4.0.2

Description The issue allows attackers to cause a denial of service by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, resulting in uncontrolled recursion of attacker-generated messages.

Recommendations For Mastodon versions through 4.0.2, consider disabling the feature that allows bot accounts to follow other accounts until a patch is available. Restrict access to the Sidekiq pull queue to minimize the risk of exploitation. Avoid using wildcard DNS A records for servers associated with Mastodon instances until the issue is resolved.