Main Vulnerability Database Vulnerabilities #VU126972

Input validation error in Mastodon - CVE-2024-25623

Published: February 17, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU126972

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-25623

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mastodon

Software vendor:
Mastodon

Description

The vulnerability allows a remote user to impersonate remote accounts.

The vulnerability exists due to improper input validation in FetchRemoteStatusService when fetching remote statuses. A remote user can upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it to impersonate remote accounts.

Exploitation requires a remote server that allows account registration, accepts arbitrary user-uploaded documents on the same domain as ActivityPub actors, and serves those documents in response to requests for Activity Streams media types.

Remediation

Install security update from vendor's website.

External links

https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36

Input validation error in Mastodon - CVE-2024-25623

Description

Remediation

External links

Please verify you're human