Mastodon: SSRF protection bypass on older Ruby versions_CVE-2026-47389

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

AI Analysis

SSRF protection bypass vulnerability in Mastodon on older Ruby versions, allowing an attacker to publish an AAAA record and open a real TCP connection to the underlying IPv4 address.

Basic Information

ID CVE-2026-47389

Source GitHub_M

Published Jun 24, 2026 at 19:41

Affected Product

Vendor mastodon

Product mastodon

Version >= 4.5.0-beta.1, < 4.5.10

Affected Versions mastodon mastodon >= 4.5.0-beta.1, < 4.5.10

CWE Classification

CWE-184 CWE-200 CWE-918

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Mastodon

Product Mastodon

Version 4.5.0-beta.1 to 4.5.10, 4.4.17, 4.3.23

References

github.com /mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6

{
    "lastseen": "",
    "description": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.",
    "published": "2026-06-24T19:41:21.150Z",
    "modified": "2026-06-24T19:41:21.150Z",
    "type": "cve",
    "title": "Mastodon: SSRF protection bypass on older Ruby versions",
    "source": "GitHub_M",
    "references": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6",
    "id": "CVE-2026-47389",
    "bulletinFamily": "",
    "cwe": [
        "CWE-184",
        "CWE-200",
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "mastodon mastodon >= 4.5.0-beta.1, < 4.5.10",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mastodon",
    "version": ">= 4.5.0-beta.1, < 4.5.10",
    "vendor": "mastodon",
    "ai_description": "SSRF protection bypass vulnerability in Mastodon on older Ruby versions, allowing an attacker to publish an AAAA record and open a real TCP connection to the underlying IPv4 address.",
    "ai_severity": "High",
    "ai_vendor": "Mastodon",
    "ai_product": "Mastodon",
    "ai_version": "4.5.0-beta.1 to 4.5.10, 4.4.17, 4.3.23",
    "ai_score": 8.6
}