Mastodon Outbound Request SSRF Protection Bypass Vulnerability
Vulnerability
A vulnerability in Mastodon allows for server-side request forgery (SSRF) by bypassing protections against local IP address requests. Mastodon, which frequently makes outbound requests to user-specified domains, has safeguards to block requests to local IPs unless explicitly allowed. However, the list of disallowed IP ranges was incomplete, leaving some local addresses accessible. This flaw enables attackers to manipulate Mastodon into making HTTP requests to loopback or local network hosts, potentially exposing private resources and services.
Impact
Exploitation of this vulnerability could lead to unauthorized access to private resources and services on the local network or loopback interface.
Reproduction
The vulnerability can be reproduced by sending a request to a user-provided domain that includes an IP address from the affected ranges. Mastodon will then make an outbound request to that IP, which can be directed to local network resources or services, bypassing the application's usual restrictions on private addresses.
Remediation
Users can update to Mastodon versions 4.5.4, 4.4.11, 4.3.17, or 4.2.29 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.