Connect with us

Hi, what are you looking for?



Critical Vulnerability Can Allow Takeover of Mastodon Servers

A critical vulnerability in the Mastodon social networking platform may allow attackers to take over target servers.

A critical vulnerability in the decentralized social networking platform Mastodon could be exploited to take over servers.

The issue was disclosed last week, when Mastodon announced patches for five vulnerabilities in the open source software, including two rated ‘critical’.

The most important of these is CVE-2023-36460 (CVSS score of 9.9), an arbitrary file creation issue that could lead to complete server compromise.

“Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing denial-of-service and arbitrary remote code execution,” Mastodon notes in an advisory.

According to security researcher Kevin Beaumont, the vulnerability allows attackers to send a toot (short-form status messages) to achieve a webshell on the Mastodon instance that processes it.

Beaumont has dubbed the vulnerability TootRoot, as its exploitation could provide attackers with root access to Mastodon servers.

The second critical-severity flaw, tracked as CVE-2023-36459, is described as a cross-site scripting (XSS) issue that allows attackers to bypass HTML sanitization via carefully crafted oEmbed data.

Advertisement. Scroll to continue reading.

“This introduces a vector for cross-site-scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through,” Mastodon explains.

Of the remaining three bugs addressed in Mastodon last week, two are high-severity vulnerabilities leading to denial-of-service (DoS) and information leaks, while the third is a medium-severity flaw allowing attackers to create visually misleading links for phishing.

All five vulnerabilities were resolved with the release of Mastodon versions 4.1.3, 4.0.5, and 3.5.9. All administrators are advised to update their Mastodon instances as soon as possible.

“I’ve done some surveying and a significant percentage of instances haven’t patched, and this one is very likely to see in-the-wild exploitation. Widespread exploitation across many instances is as simple as sending a single toot,” Beaumont warns.

Introduced in 2016 and offering Twitter-like microblogging features, the open source software supports self-hosted social networking services running on independently run nodes, known as Mastodon instances.

Users can choose which Mastodon instance they want to be members of but, since the nodes operate as a federated social network, users can interact with members of other instances as well. Tracking data shows there are over 12,000 Mastodon instances, hosting roughly eight million users.

The platform has gained significant traction since 2022, as Twitter’s acquisition by Elon Musk sparked concerns.

Related: Critical Vulnerabilities Force Twitter Alternative Hive Social Offline

Related: Security Researchers Looking at Mastodon as Its Popularity Soars

Related: Recently Disclosed Vulnerability Exploited to Hack Hundreds of SugarCRM Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.