Mastodon has SSRF via unvalidated FASP Provider base_url
Description
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen base_url that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including fasp. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag fasp are not affected.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1mitrex_refsource_MISC
- github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqmmitrex_refsource_CONFIRM
News mentions
12- ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege EscalationThe Hacker News · May 14, 2026
- ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932, (Thu, May 14th)SANS Internet Storm Center · May 14, 2026
- ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930, (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920, (Wed, May 6th)SANS Internet Storm Center · May 6, 2026
- ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916, (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptionsCloudflare Blog · Apr 28, 2026
- It pays to be a forever studentCisco Talos Intelligence · Apr 23, 2026
- Risky Business #834 -- Vercel gets owned, Mozilla dumps hundreds of Mythos bugsRisky Business · Apr 22, 2026