{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.5.19" } ] }, "events": [ { "introduced": "0" }, { "fixed": "e9123ad691727ffec3672ff3912ef56e67c930ef" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.0.0" }, { "fixed": "4.0.15" } ] }, "events": [ { "introduced": "fb389bd73c8a4bc2924496f6041c8eee27572d21" }, { "fixed": "e5726d211fd3dc1d640f202e808e25891d765586" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.1.0" }, { "fixed": "4.1.15" } ] }, "events": [ { "introduced": "61c5dfb9295ea66c376c452a7ef7379e8c562416" }, { "fixed": "b7b03e8d26a4344ef331ba667c16311110a0d6dd" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.2.0" }, { "fixed": "4.2.7" } ] }, "events": [ { "introduced": "4fcc026f0f1b12a9de21a3af33375a9c8867dd55" }, { "fixed": "0e4e98fad1e21e4f356b3a71eef3fca79890105c" } ], "repo": "https://github.com/mastodon/mastodon", "type": "GIT" } ] }, { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.5.19" }, { "introduced": "4.0.0" }, { "fixed": "4.0.15" }, { "introduced": "4.1.0" }, { "fixed": "4.1.15" }, { "introduced": "4.2.0" }, { "fixed": "4.2.7" } ] }, "events": [ { "introduced": "0" }, { "fixed": "e9123ad691727ffec3672ff3912ef56e67c930ef" }, { "introduced": "fb389bd73c8a4bc2924496f6041c8eee27572d21" }, { "fixed": "e5726d211fd3dc1d640f202e808e25891d765586" }, { "introduced": "61c5dfb9295ea66c376c452a7ef7379e8c562416" }, { "fixed": "b7b03e8d26a4344ef331ba667c16311110a0d6dd" }, { "introduced": "4fcc026f0f1b12a9de21a3af33375a9c8867dd55" }, { "fixed": "0e4e98fad1e21e4f356b3a71eef3fca79890105c" } ], "repo": "https://github.com/tootsuite/mastodon", "type": "GIT" } ] } ], "aliases": [ "GHSA-jhrq-qvrm-qr36" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-434" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25623.json" }, "details": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.", "id": "CVE-2024-25623", "modified": "2026-04-01T23:10:23.992139989Z", "published": "2024-02-19T15:28:15.296Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25623.json" }, { "type": "ADVISORY", "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25623" }, { "type": "FIX", "url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Lack of media type verification of Activity Streams objects allows impersonation of remote accounts" }