Mastodon versions before 4.5.8 on the 4.5.x branch and before 4.4.15 on the 4.4.x branch contain a flaw that lets an attacker, who has knowledge of a pending quote, cause the server to reject or mishandle that quote. The result is that the quote cannot be posted, resulting in an interruption of service for the impacted user or the public timeline. The weakness corresponds to CWE-863, which relates to missing or improper handling of a request, and is manifested as a denial of service.

Mastodon’s community servers running the 4.5.x branch older than version 4.5.8, or the 4.4.x branch older than 4.4.15, are vulnerable. Earlier releases, such as 4.3 and back, do not include quote functionality and therefore are not affected. Anyone operating a Mastodon instance that has not applied the latest patch should consider the risk of a service interruption related to quote processing.

The vulnerability has a CVSS score of 4.8, indicating a moderate impact. Its EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector involves the attacker knowing a quote before it reaches the server, then crafting a request to deceive the server into rejecting that quote; this inference comes from the description. Because the flaw only affects quote processing and not broader system functions, the scope is limited to the affected features.