CVE-2023-42450

MEDIUM

Mastodon 4.2.0-beta1 to 4.2.0-rc1 - HTTP Request Injection

Title source: manual

Description

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4

Patch x_refsource_misc

https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0039

EPSS Percentile 30.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-113 CWE-918

Status published

Products (1)

joinmastodon/mastodon 4.2.0 beta1 (4 CPE variants)

Published Sep 19, 2023

Tracked Since Feb 18, 2026