Mastodon FASP Subscription Vulnerability Allowing Unconfirmed Providers to Subscribe and Backfill

A vulnerability in Mastodon versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6 allows unconfirmed FASP providers to subscribe to account and content lifecycle events and request content backfills without administrative approval. This issue arises on servers that have enabled the experimental FASP feature by setting the 'EXPERIMENTAL_FEATURES' environment variable to include 'fasp'. While a single exploitation leads to a minor information leak of publicly available URIs, repeated actions can cause significant denial-of-service by overloading the Sidekiq worker that manages FASP tasks.

Impact

Exploitation of this vulnerability allows unconfirmed FASP providers to make subscriptions and request content backfills, bypassing the required administrative approval. This not only leads to a minor information leak but, when done repeatedly, creates a serious denial-of-service risk by putting excessive strain on the Sidekiq worker that handles FASP-related tasks.

Reproduction

To reproduce this vulnerability, first enable the experimental FASP feature on a Mastodon server by setting the 'EXPERIMENTAL_FEATURES' environment variable to include 'fasp'. Next, register a FASP provider without confirmation. Once the provider is registered, it can be used to subscribe to lifecycle events and request content backfills without administrative approval. This can be done by sending requests to the appropriate API endpoints for event subscriptions and backfill requests, using the unconfirmed provider's credentials.

Remediation

Update to Mastodon versions 4.4.14 or 4.5.7, which include the necessary fix. For servers currently testing the experimental FASP feature, it is recommended to update as soon as possible.