A significant security vulnerability has been identified in the decentralized social network Mastodon, tracked as CVE-2024-23832, with a CVSS score of 9.4. This flaw allows malicious actors to exploit insufficient origin validation, enabling them to remotely impersonate and seize control of any Mastodon account.
“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” reads the official advisory.
- Mastodon version before 3.5.17
- 4.0.x versions before 4.0.13
- 4.1.x versions before 4.1.13
- 4.2.x versions before 4.2.5
The vulnerability was initially discovered by the diligent security researcher Arcanicanis.
Mastodon is set to disclose technical details about the flaw on or after February 15, 2024. This timeframe is intended to allow administrators to update their server instances.
Project maintainers express concern that threat actors may exploit this vulnerability on a large scale in the wild. The advisory emphasizes, “This advisory will be edited with more details on 2024/02/15 when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.”
Previous Vulnerability Addressed in July 2023 (CVE-2023-36460)
In July 2023, Mastodon successfully addressed another critical flaw, tracked as CVE-2023-36460. This vulnerability was related to the media attachments feature, allowing attackers to create and overwrite files in any accessible location within an instance. The potential consequences included Denial of Service (DoS) and arbitrary remote code execution.