Mastodon's PrivateAddressCheck fails to treat certain IPv4-mapped IPv6 addresses as private when a Ruby interpreter older than 3.4 is used. An attacker who controls the DNS for a chosen domain can publish an AAAA record pointing to an IPv4-mapped address that resolves to a private IP. When Mastodon performs an outbound HTTP fetch to that domain, it resolves to the mapped IPv4 address and opens a real TCP connection to the underlying IP. This connectivity can reach loopback interfaces, RFC1918 networks, or the host’s cloud-metadata service. The flaw therefore permits server‑side request forgery that can expose sensitive configuration data or provide a foothold for lateral movement within the trusted network.

The vulnerability affects Mastodon releases earlier than 4.5.10, 4.4.17, and 4.3.23 when the server runs on Ruby 3.3 or earlier. All newer Mastodon major releases and Ruby versions 3.4 and above contain the fix.

The CVSS base score is 8.6, indicating high severity. No EPSS score is available and the issue is not listed in CISA's KEV catalog, but the probability of exploitation remains significant for Internet-facing Mastodon installations that use the affected Ruby versions. Attackers need control over a domain’s AAAA record and the ability to trigger an outbound HTTP request from the Mastodon server; once those conditions are met, internal resources can be accessed.