CVE-2024-25623

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-25623

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25623.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-25623

Aliases

BIT-mastodon-2024-25623
GHSA-jhrq-qvrm-qr36

Published

2024-02-19T15:28:15Z

Modified

2025-11-06T06:16:42.185032Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator

Summary

Lack of media type verification of Activity Streams objects allows impersonation of remote accounts

Details

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-434"
    ]
}

References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type: GIT
Repo: https://github.com/mastodon/mastodon
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9fee5e852669e26f970e278021302e1a203fc022

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.6

v0.7

v0.8

v0.9

v0.9.9

v1.*

v1.0

v1.1

v1.1.1

v1.1.2

v1.2

v1.2.1

v1.2.2

v1.3

v1.3.1

v1.3.2

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4rc1

v1.4rc2

v1.4rc3

v1.4rc4

v1.4rc5

v1.4rc6

v1.5.0

v1.5.0rc1

v1.5.0rc2

v1.5.0rc3

v1.5.1

v1.6.0

v1.6.0rc1

v1.6.0rc2

v1.6.0rc3

v1.6.0rc4

v1.6.0rc5

v1.6.1

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc2

v2.0.0rc3

v2.0.0rc4

v2.1.0

v2.1.0rc1

v2.1.0rc2

v2.1.0rc3

v2.1.0rc4

v2.1.0rc5

v2.1.0rc6

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.0rc1

v2.2.0rc2

v2.3.0

v2.3.0rc1

v2.3.0rc2

v2.3.0rc3

v2.3.1

v2.3.1rc1

v2.3.1rc2

v2.3.1rc3

v2.3.2

v2.3.2rc1

v2.3.2rc2

v2.3.2rc3

v2.3.2rc4

v2.3.2rc5

v2.4.0

v2.4.0rc1

v2.4.0rc2

v2.4.0rc3

v2.4.0rc4

v2.4.0rc5

v2.4.1

v2.4.1rc1

v2.4.1rc2

v2.4.1rc3

v2.4.1rc4

v2.4.2

v2.4.2rc1

v2.4.2rc2

v2.4.2rc3

v2.4.3

v2.4.3rc1

v2.4.3rc2

v2.4.3rc3

v2.5.0

v2.5.0rc1

v2.5.0rc2

v2.6.0

v2.6.0rc1

v2.6.0rc2

v2.6.0rc3

v2.6.0rc4

v2.6.1

v2.7.0

v2.7.0rc1

v2.7.0rc2

v2.7.0rc3

v2.7.1

v2.8.0

v2.8.0rc1

v2.8.0rc2

v2.8.0rc3

v2.8.1

v2.8.2

v2.9.0

v2.9.0rc1

v2.9.0rc2

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.0.0rc1

v3.0.0rc2

v3.0.0rc3

v3.0.1

v3.1.0

v3.1.0rc1

v3.1.0rc2

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.2.0

v3.2.0rc1

v3.2.0rc2

v3.3.0

v3.3.0rc1

v3.3.0rc2

v3.3.0rc3

v3.4.0

v3.4.0rc1

v3.4.0rc2

v3.4.1

v3.5.0

v3.5.0rc1

v3.5.0rc2

v3.5.0rc3

v3.5.1

v3.5.2

v3.5.3

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v4.0.0rc3

v4.0.0rc4

v4.0.1

v4.0.2

v4.1.0

v4.1.0rc1

v4.1.0rc2

v4.1.0rc3

v4.2.0

v4.2.0-beta1

v4.2.0-beta2

v4.2.0-beta3

v4.2.0-rc1

v4.2.0-rc2

Git / github.com/tootsuite/mastodon