Is CVE-2024-25623 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2024-25623 affect?

Tracked products affected include Mastodon. Check the version you run to see whether it is affected.

How do I fix CVE-2024-25623?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2024-25623

Q: What is CVE-2024-25623?

CVE-2024-25623 is a high-severity software vulnerability (Unrestricted file upload) with a CVSS score of 8.5. Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-T

HIGH severity · CVSS 8.5 · Unrestricted file upload

8.5CVSS HIGH

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactLow

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Affected products we track (1)

Mastodon

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022 ↗

CVE-2024-25623

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information