CVE-2026-22245

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.2.29, 4.3.17, 4.4.11, and 4.5.4

Description Mastodon is a social network server that makes outbound requests to user-provided domains. A protection mechanism exists to disallow requests to local IP addresses, intended to prevent a "confused deputy" problem. However, the list of disallowed IP address ranges was incomplete, allowing attackers to use specific IP addresses to make Mastodon perform HTTP requests against loopback or local network hosts. This could potentially allow access to private resources and services. The ALLOWED PRIVATE ADDRESSES variable is relevant to this issue.

Recommendations Update Mastodon to version 4.2.29. Update Mastodon to version 4.3.17. Update Mastodon to version 4.4.11. Update Mastodon to version 4.5.4.