Mastodon Streaming API Disconnection Vulnerability for Disabled or Suspended Accounts
Vulnerability
A vulnerability exists in Mastodon versions prior to 4.4.6, 4.3.14, and 4.2.27, where disabling or suspending a user account does not terminate the account's connection to the streaming API. As a result, these accounts can continue to receive real-time updates through existing streaming connections and establish new ones, despite being unable to interact with other API endpoints. This issue undermines moderation efforts, as administrators expect fully disabled or suspended accounts to be disconnected from the service.
Impact
The vulnerability allows disabled or suspended accounts to remain connected to the streaming API, receiving updates and re-establishing connections, which can disrupt moderation actions.
Reproduction
To reproduce this vulnerability, suspend a user account and then connect to the streaming API with that account. The account will continue to receive updates, demonstrating that the suspension has not been properly enforced on the streaming connection.
Remediation
Users can update to Mastodon versions 4.4.6, 4.3.14, or 4.2.27 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.