Mastodon, the decentralized social network, is urging instance operators to update their server software immediately due to a high-risk security vulnerability. This flaw, CVE-2024-37903, allows attackers to gain unauthorized access to posts, potentially exposing private content to unintended users.
According to a security advisory, the vulnerability enables attackers to craft certain activities that expand the audience of a post to other Mastodon users on a targeted server. This manipulation allows unauthorized users to view posts not meant for them. The vulnerability has been rated with a CVSS score of 8.2, indicating a high severity level.
By crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them.
Mastodon
The issue affects all versions of Mastodon from 2.6.0 onwards. The Mastodon development team has released updates 4.2.10 and 4.1.18 to address this. These versions close the security gap and include fixes for other security issues. “We strongly recommend all instance operators update their servers to the latest versions to protect user content,” stated the Mastodon developers.
One of the additional bugs fixed in these updates pertains to the permissions check for several API endpoints. The security advisory explains that while a permissions check did occur, it was inadequate. For instance, application tokens that did not belong to specific users could be exploited.
The developers have highlighted that this is not the first time Mastodon has had to address significant security gaps. A different vulnerability allowed attackers to take over or falsify accounts in February.
The latest security bulletin also includes a note about a future update, “We will publish a more detailed description of this issue on Monday, July 15th, to give some time for Mastodon server administrators to update their servers,” the developers noted.
The developers advise updating to nightly 2024-07-05-security or newer for those using nightly builds and to the latest commit for those on the main branch.
Mastodon’s decentralized nature means that each instance operates independently, making it crucial for individual instance operators to apply security patches promptly.
