Mastodon FASP Feature Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Mastodon versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6. This vulnerability affects Mastodon servers that have enabled the experimental FASP feature, allowing an unauthenticated attacker to register a FASP with a custom 'base_url' that includes or resolves to a local or internal address. As a result, the Mastodon server may make HTTP or HTTPS requests to that address, potentially triggering vulnerabilities or undesired behavior in the internal systems accessed. The vulnerability arises because the server does not properly validate the 'base_url' before use.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the Mastodon server is tricked into making requests to internal systems, potentially leading to the exploitation of vulnerabilities or causing other undesired behavior on those systems.

Reproduction

To reproduce this vulnerability, an attacker must register a FASP with a 'base_url' that points to a local or internal address. This can be done by choosing a 'base_url' that includes or resolves to such an address. The Mastodon server must have the experimental 'fasp' feature enabled. Once the FASP is registered, the server will make requests to the internal address specified, allowing the attacker to potentially exploit vulnerabilities on that system.

Remediation

Users should update to Mastodon versions 4.4.14 or 4.5.7, both of which include the necessary patch. For those using the experimental 'fasp' feature, it is recommended to update as soon as possible. Servers not using the 'fasp' feature are not affected.