SSRF Protection Bypass Vulnerability in Mastodon Severity High Package Mastodon Affected Versions < v4.2.29, < v4.3.17, < v4.4.11, < v4.5.4 Patched Versions v4.2.29, v4.3.17, v4.4.11, v4.5.4 CVE ID CVE-2026-22245 Weaknesses No CWEs identified Summary Mastodon performs outbound requests to user-provided domains and has mechanisms to disallow requests to local IP addresses unless specified in . However, the list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. Impact An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. Note This security issue was found by Joshua Rogers of Aisle Research.