CVE-2024-25623

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.2.7 Mastodon versions prior to 4.1.15 Mastodon versions prior to 4.0.15 Mastodon versions prior to 3.5.19

Description Mastodon is a free, open-source social network server based on ActivityPub. When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type. This allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The issue allows a threat actor to impersonate an account on a remote server that satisfies certain properties: allows the attacker to register an account, accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors, and serves user-uploaded documents in response to requests with an Accept header value of the Activity Streams media type.

Recommendations For versions prior to 4.2.7, update to version 4.2.7 or later. For versions prior to 4.1.15, update to version 4.1.15 or later. For versions prior to 4.0.15, update to version 4.0.15 or later. For versions prior to 3.5.19, update to version 3.5.19 or later.