Description
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq
Patch x_refsource_misc
https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v3.5.9
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.0.5
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.1.3
Scores
CVSS v3
5.4
EPSS
0.0156
EPSS Percentile
81.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (1)
joinmastodon/mastodon
2.6.0 - 3.5.9
Published
Jul 06, 2023
Tracked Since
Feb 18, 2026