Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Severity (CVSS)
| Base score | 6.5 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
| Provided by | CNA |
Weaknesses
- CWE-354 — CWE-354: Improper Validation of Integrity Check Value
Affected products
| Vendor | Product | Versions |
|---|---|---|
| mastodon | mastodon | >= 4.5.0-beta.1, < 4.5.10; >= 4.4.0-beta.1, < 4.4.17; < 4.3.23 |
References
- https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839 (x_refsource_CONFIRM)
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.