Critical Vulnerability in Mastodon Allows Account Takeover
A critical vulnerability in the open-source decentralized social network Mastodon has been fixed. This flaw allowed attackers to impersonate any account and take it over.
The vulnerability, identified as CVE-2024-23832, is related to improper origin validation (CWE-346) in Mastodon. This issue enabled malicious actors to pose as other users and gain control of their accounts.
The vulnerability received a score of 9.4 on the CVSS 3.1 scale and affects all Mastodon versions prior to 3.5.17, 4.0.13, 4.1.13, and 4.2.5. The issue was resolved in version 4.2.5, and all Mastodon administrators are strongly advised to update to this version as soon as possible to protect their users.
Administrators Urged to Update
The Mastodon development team is currently withholding technical details about the vulnerability to prevent active exploitation. βAny details would make it easy to create an exploit,β they stated. However, they have promised to share more information about CVE-2024-23832 at the end of next week, after most instances have applied the patches.
Regular Mastodon users cannot directly fix the issue themselves, but they should ensure that the administrators of the instances they use have updated to a secure version. Otherwise, their accounts remain at risk of being compromised.