CVE-2023-42450

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.2.0-beta1 through 4.2.0-rc1

Description The issue is related to insufficient request validation on the server side, allowing attackers to inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes ALLOWED PRIVATE ADDRESSES to allow access to local exploitable services.

Recommendations For Mastodon versions 4.2.0-beta1 through 4.2.0-rc1, update to version 4.2.0-rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to local services by removing or limiting the ALLOWED PRIVATE ADDRESSES configuration to minimize the risk of exploitation.