VYPR

Mastodon

by Mastodon

Source repositories

CVEs (49)

  • CVE-2025-67500Dec 9, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by…

  • CVE-2025-62605Oct 21, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and…

  • CVE-2025-62176Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses…

  • CVE-2025-62175Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue…

  • CVE-2025-62174Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions…

  • CVE-2025-54879Aug 5, 2025
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical…

  • CVE-2025-27399Feb 27, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block…

  • CVE-2025-27157Feb 27, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary…

  • CVE-2023-49952Nov 18, 2024
    risk 0.00cvss epss 0.00

    Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.

  • CVE-2024-34535Oct 3, 2024
    risk 0.00cvss epss 0.00

    In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.

  • CVE-2024-37903Jul 5, 2024
    risk 0.00cvss epss 0.01

    Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining…

  • CVE-2024-25623Feb 19, 2024
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity…

  • CVE-2024-25619Feb 14, 2024
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application…

  • CVE-2024-25618Feb 14, 2024
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if…

  • CVE-2024-23832Feb 1, 2024
    risk 0.00cvss epss 0.02

    Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to…

  • CVE-2023-42452Sep 19, 2023
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing…

  • CVE-2023-42451Sep 19, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10,…

  • CVE-2023-42450Sep 19, 2023
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused…

  • CVE-2023-36462Jul 6, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to…

  • CVE-2023-36461Jul 6, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the…