Impact
Mastodon lacked sufficient protection for Linked-Data signatures in activities, allowing a threat actor to delete JSON entries from a validly signed activity of a third‑party actor. The vulnerability is a signature integrity flaw (CWE‑354) that compromises data authenticity. An attacker could therefore inject or modify activity payloads that appear legitimate, potentially broadcasting false information or influencing follower actions.
Affected Systems
The issue affects Mastodon servers running any of the following pre‑patch versions: 4.5.x prior to 10, 4.4.x prior to 17, and 4.3.x prior to 23. All instances of the Mastodon application noted in the CNA product list (mastodon:mastodon) are susceptible if they have not applied the corresponding security update.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an adversary submitting a forged signed activity to an exposed Mastodon endpoint; the instance will process the activity as if it were from a legitimate actor, thereby enabling spoofed broadcasts. Exploitation requires the ability to send HTTP POST requests to the instance’s activity handling endpoint and knowledge of the target actor’s identity.
OpenCVE Enrichment