What is the severity of CVE-2024-25623?

CVE-2024-25623 is classified as a medium severity vulnerability.

How do I fix CVE-2024-25623?

To fix CVE-2024-25623, upgrade your Mastodon installation to version 4.2.7 or later, or 4.1.15 or later, 4.0.15 or later, or 3.5.19 or later.

Which versions of Mastodon are affected by CVE-2024-25623?

CVE-2024-25623 affects Mastodon versions prior to 3.5.19, 4.0.15, 4.1.15, and 4.2.7.

What type of issue does CVE-2024-25623 represent?

CVE-2024-25623 represents a vulnerability related to improper validation of the Content-Type header when fetching remote statuses.

Is my server vulnerable if I am running an updated version of Mastodon?

If you are running Mastodon version 4.2.7 or higher, 4.1.15 or higher, 4.0.15 or higher, or 3.5.19 or higher, your server is not vulnerable to CVE-2024-25623.

Vulnerability/
CVE-2024-25623

high

8.5

CWE

434

EPSS

0.043%

19/2/2024

18/12/2024

CVE-2024-25623: Lack of media type verification of Activity Streams objects allows impersonation of remote accounts

First published: Mon Feb 19 2024(Updated: )

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Mastodon	<3.5.19
Mastodon	>=4.0.0<4.0.15
Mastodon	>=4.1.0<4.1.15
Mastodon	>=4.2.0<4.2.7

Remedy

https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-25623?
CVE-2024-25623 is classified as a medium severity vulnerability.
How do I fix CVE-2024-25623?
To fix CVE-2024-25623, upgrade your Mastodon installation to version 4.2.7 or later, or 4.1.15 or later, 4.0.15 or later, or 3.5.19 or later.
Which versions of Mastodon are affected by CVE-2024-25623?
CVE-2024-25623 affects Mastodon versions prior to 3.5.19, 4.0.15, 4.1.15, and 4.2.7.
What type of issue does CVE-2024-25623 represent?
CVE-2024-25623 represents a vulnerability related to improper validation of the Content-Type header when fetching remote statuses.
Is my server vulnerable if I am running an updated version of Mastodon?
If you are running Mastodon version 4.2.7 or higher, 4.1.15 or higher, 4.0.15 or higher, or 3.5.19 or higher, your server is not vulnerable to CVE-2024-25623.

agent/weakness
agent/title
agent/references
agent/type
agent/description
agent/first-publish-date
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/remedy
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/joinmastodon
canonical/mastodon
version/mastodon/4.0.0
version/mastodon/4.1.0
version/mastodon/4.2.0