PT-2026-3900 · Mastodon · Mastodon
Ember-Ruby
·
Published
2026-01-22
·
Updated
2026-02-03
·
CVE-2026-23962
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Mastodon versions prior to 4.3.18
Mastodon versions prior to 4.4.12
Mastodon versions prior to 4.5.5
Description
Mastodon is a free, open-source social network server based on ActivityPub. Versions of Mastodon prior to 4.3.18, 4.4.12, and 4.5.5 do not limit the maximum number of poll options for remote posts. This allows attackers to create polls with a very large number of options, which can significantly increase resource consumption. An attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially leading to a Denial of Service, either server-side or client-side.
Recommendations
Update to Mastodon version 4.3.18 or later.
Update to Mastodon version 4.4.12 or later.
Update to Mastodon version 4.5.5 or later.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mastodon