Mastodon has SSRF Protection bypass_CVE-2026-22245

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29.

Basic Information

ID CVE-2026-22245

Source GitHub_M

Published Jan 8, 2026 at 15:23

Modified Jan 8, 2026 at 15:54

Affected Product

Vendor mastodon

Product mastodon

Version < 4.2.29

Affected Versions mastodon mastodon < 4.2.29
mastodon mastodon >= 4.3.0-beta.1, < 4.3.17
mastodon mastodon >= 4.4.0-beta.1, < 4.4.11
mastodon mastodon >= 4.5.0-beta.1, < 4.5.4

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the \"confused deputy\" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29.",
    "published": "2026-01-08T15:23:13.639Z",
    "modified": "2026-01-08T15:54:30.680Z",
    "type": "cve",
    "title": "Mastodon has SSRF Protection bypass",
    "source": "GitHub_M",
    "references": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq\nhttps://github.com/mastodon/mastodon/commit/0f4e8a6240b5af1f2c3f34d2793d8610c6ef2aca\nhttps://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3\nhttps://github.com/mastodon/mastodon/commit/71ae4cf2cf5138ccdda64b1b1d665849b688686d",
    "id": "CVE-2026-22245",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "mastodon mastodon < 4.2.29\nmastodon mastodon >= 4.3.0-beta.1, < 4.3.17\nmastodon mastodon >= 4.4.0-beta.1, < 4.4.11\nmastodon mastodon >= 4.5.0-beta.1, < 4.5.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mastodon",
    "version": "< 4.2.29",
    "vendor": "mastodon",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}