CVE-2023-42450

MEDIUM

Mastodon - SSRF

Title source: rule

Description

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

References (2)

[Vendor Advisory] https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4

[Patch] https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0038

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-113 CWE-918

Status published

Products (1)

joinmastodon/mastodon 4.2.0 beta1 (4 CPE variants)

Published Sep 19, 2023

Tracked Since Feb 18, 2026