Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

mastodon — Vulnerabilities & Security Advisories 42

Browse all 42 CVE security advisories affecting mastodon. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mastodon is an open-source, self-hosted microblogging platform designed to decentralize social networking through the ActivityPub protocol. Its architecture allows users to operate independent instances that interoperate within a federated network, prioritizing user control over centralized corporate data silos. Historically, security audits have identified approximately 35 Common Vulnerabilities and Exposures (CVEs) within the codebase. These flaws predominantly involve server-side request forgery, cross-site scripting, and improper access control mechanisms, often stemming from complex interactions between the Ruby on Rails backend and the PostgreSQL database. While no catastrophic data breaches have defined its history, the platform’s decentralized nature means security incidents are typically isolated to specific instances rather than affecting the entire network. Recent patches have focused on hardening authentication flows and mitigating injection vulnerabilities, reflecting the ongoing challenges of maintaining security in a distributed, community-driven software ecosystem.

Top products by mastodon: mastodon mastodon/mastodon
CVE IDTitleCVSSSeverityPublished
CVE-2024-25618 External OpenID Connect Account Takeover by E-Mail Change in mastodon — mastodonCWE-287 4.2 Medium2024-02-14
CVE-2024-23832 Mastodon Remote user impersonation and takeover — mastodonCWE-290 9.4 Critical2024-02-01
CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature — mastodonCWE-79 6.1 Medium2023-09-19
CVE-2023-42451 Mastodon Invalid Domain Name Normalization vulnerability — mastodonCWE-706 7.4 High2023-09-19
CVE-2023-42450 Mastodon Server-Side Request Forgery vulnerability — mastodonCWE-918 5.4 Medium2023-09-19
CVE-2023-36462 Mastodon's verified profile links can be formatted in a misleading way — mastodonCWE-20 5.4 Medium2023-07-06
CVE-2023-36461 Mastodon vulnerable to Denial of Service through slow HTTP responses — mastodonCWE-770 7.5 High2023-07-06
CVE-2023-36460 Mastodon vulnerable to arbitrary file creation through media attachments — mastodonCWE-22 10.0 Critical2023-07-06
CVE-2023-36459 Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards — mastodonCWE-79 9.3 Critical2023-07-06
CVE-2023-28853 Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database — mastodonCWE-90 7.7 High2023-04-04
CVE-2022-2166 Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon — mastodon/mastodonCWE-307 9.4 -2022-11-16
CVE-2022-0432 Prototype Pollution in mastodon/mastodon — mastodon/mastodonCWE-1321 9.6 -2022-02-02

This page lists every published CVE security advisory associated with mastodon. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.