A missing exception handler in Mastodon’s math sanitizer causes every use of a malformed <math> node to raise an unhandled NoMethodError, which prevents the affected request from completing. The failure is persistent and can be triggered by anonymous users, resulting in denial of service to the server as a whole or to the specific user-facing service that processed the malformed node. This flaw is an instance of the CWE‑248 "Improper Handling of Exception" weakness, and its impact is a usability and availability compromise without affecting confidentiality or integrity.

The vulnerability affects Mastodon installations running any of the following pre‑4.5.11, pre‑4.4.18, or pre‑4.3.24 releases. It is relevant to all users and administrators who host Mastodon instances on these versions, irrespective of the number of concurrent users or the domain name used.

The CVSS base score of 7.5 indicates a moderate to high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting that no widespread exploitation is confirmed yet. The attack likely requires an author who can submit posts, comments, or other content containing malformed <math> nodes, which an anonymous user can do. The exploit path thus involves sending crafted content that passes through the math sanitizer, triggering the NoMethodError and causing the denial of service. The effect can be serverwide if the failure occurs during core rendering processes, or limited to specific user services otherwise.