PT-2026-3901 · Mastodon · Mastodon
Daprice
·
Published
2026-01-22
·
Updated
2026-02-03
·
CVE-2026-23963
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Mastodon versions prior to 4.5.5
Mastodon versions prior to 4.4.12
Mastodon versions prior to 4.3.18
Description
Mastodon, a free and open-source social network server based on ActivityPub, does not limit the length of names for lists or filters, or for filter keywords. This allows a user to set an excessively long string as a name or keyword, potentially causing disproportionate storage and computing resource usage. A user can render their own web interface unusable, though this requires intentional action or approval of a malicious API client.
Recommendations
Update to Mastodon version 4.5.5 or later.
Update to Mastodon version 4.4.12 or later.
Update to Mastodon version 4.3.18 or later.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mastodon