Mastodon Rolls Out Urgent Security Update to Mitigate Critical Vulnerabilities Threatening Millions of Users

• Mastodon, a popular decentralized social network, addresses critical vulnerabilities with a new security update, protecting its 14 million users across more than 20,000 instances from potential cyberattacks.
• The security update addresses five vulnerabilities, the most dangerous of which could have allowed attackers to exploit a glitch in the media attachments feature, potentially leading to Denial-of-Service (DoS) and arbitrary remote code execution attacks.

Mastodon, a decentralized social network with a user base exceeding 14 million, has issued a security update to address critical vulnerabilities that could expose its users to cyberattacks. The most severe vulnerability, CVE-2023-36460, allows attackers to exploit a glitch within the media attachments feature, enabling the creation and overwriting of files in any location that the software could reach on an instance. This vulnerability could be weaponized for Denial-of-Service (DoS) and arbitrary remote code execution attacks, presenting a considerable threat to both Mastodon users and the wider Internet community.

The critical flaw was discovered during a penetration testing initiative backed by the Mozilla Foundation and executed by cybersecurity firm Cure53. The latest patch rolled out by Mastodon addresses five vulnerabilities, including another crucial issue, CVE-2023-36459, which could enable attackers to inject arbitrary HTML into oEmbed preview cards, evading Mastodon’s HTML sanitization procedure and opening the door for Cross-Site Scripting (XSS) payloads.

Here are some additional details about the vulnerabilities:

• CVE-2023-36460: This vulnerability allows attackers to create or overwrite files on any instance of Mastodon. This could be used to launch denial-of-service attacks or to execute arbitrary code on affected instances.
• CVE-2023-36459: This vulnerability allows attackers to inject arbitrary HTML into oEmbed preview cards. This could be used to deliver malicious code to users who viewed the preview cards.

To guard against these potential threats, it is important for Mastodon users to confirm that their subscribed instance has promptly installed the necessary updates. This will help ensure the safety and security of their personal information and protect against potential cyberattacks.