Critical Vulnerability Can Allow Takeover of Mastodon Servers

A critical vulnerability in the decentralized social networking platform Mastodon could be exploited to take over servers.

The issue was disclosed last week, when Mastodon announced patches for five vulnerabilities in the open source software, including two rated ‘critical’.

The most important of these is CVE-2023-36460 (CVSS score of 9.9), an arbitrary file creation issue that could lead to complete server compromise.

“Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing denial-of-service and arbitrary remote code execution,” Mastodon notes in an advisory.

According to security researcher Kevin Beaumont, the vulnerability allows attackers to send a toot (short-form status messages) to achieve a webshell on the Mastodon instance that processes it.

Beaumont has dubbed the vulnerability TootRoot, as its exploitation could provide attackers with root access to Mastodon servers.

The second critical-severity flaw, tracked as CVE-2023-36459, is described as a cross-site scripting (XSS) issue that allows attackers to bypass HTML sanitization via carefully crafted oEmbed data.

“This introduces a vector for cross-site-scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through,” Mastodon explains.

Of the remaining three bugs addressed in Mastodon last week, two are high-severity vulnerabilities leading to denial-of-service (DoS) and information leaks, while the third is a medium-severity flaw allowing attackers to create visually misleading links for phishing.

All five vulnerabilities were resolved with the release of Mastodon versions 4.1.3, 4.0.5, and 3.5.9. All administrators are advised to update their Mastodon instances as soon as possible.

“I’ve done some surveying and a significant percentage of instances haven’t patched, and this one is very likely to see in-the-wild exploitation. Widespread exploitation across many instances is as simple as sending a single toot,” Beaumont warns.

Introduced in 2016 and offering Twitter-like microblogging features, the open source software supports self-hosted social networking services running on independently run nodes, known as Mastodon instances.

Users can choose which Mastodon instance they want to be members of but, since the nodes operate as a federated social network, users can interact with members of other instances as well. Tracking data shows there are over 12,000 Mastodon instances, hosting roughly eight million users.

The platform has gained significant traction since 2022, as Twitter’s acquisition by Elon Musk sparked concerns.

Related: Critical Vulnerabilities Force Twitter Alternative Hive Social Offline

Related: Security Researchers Looking at Mastodon as Its Popularity Soars

Related: Recently Disclosed Vulnerability Exploited to Hack Hundreds of SugarCRM Servers