Mastodon Missing Length Limit Vulnerability in List and Filter Names
Vulnerability
A vulnerability exists in Mastodon, a social network server based on ActivityPub, prior to versions 4.5.5, 4.4.12, and 4.3.18. The issue arises because the server does not impose a maximum length for list names, filter names, or filter keywords. This oversight allows users to create excessively long strings for these fields. As a result, any local user can exploit this to generate excessive storage and processing resource consumption. Furthermore, they can disrupt their own web interface, either intentionally or by unknowingly granting a harmful API client permission.
Impact
Exploitation of this vulnerability can lead to significant resource exhaustion, causing performance degradation or unresponsiveness in the user's web interface. This disruption can be self-inflicted or result from interacting with a malicious API client.
Remediation
Users can upgrade to Mastodon versions 4.5.5, 4.4.12, or 4.3.18 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.