Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.

Basic Information

ID CVE-2026-50129

Source GitHub_M

Published Jun 24, 2026 at 19:50

Affected Product

Vendor mastodon

Product mastodon

Version >= 4.5.0-beta.1, < 4.5.11

Affected Versions mastodon mastodon >= 4.5.0-beta.1, < 4.5.11
mastodon mastodon >= 4.4.0-beta.1, < 4.4.18
mastodon mastodon < 4.3.24

CWE Classification

CWE-248

References

github.com /mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r

{
    "lastseen": "",
    "description": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.",
    "published": "2026-06-24T19:50:51.968Z",
    "modified": "2026-06-24T19:50:51.968Z",
    "type": "cve",
    "title": "Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER",
    "source": "GitHub_M",
    "references": "https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r",
    "id": "CVE-2026-50129",
    "bulletinFamily": "",
    "cwe": [
        "CWE-248"
    ],
    "cvelist": null,
    "sourceData": "mastodon mastodon >= 4.5.0-beta.1, < 4.5.11\nmastodon mastodon >= 4.4.0-beta.1, < 4.4.18\nmastodon mastodon < 4.3.24",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mastodon",
    "version": ">= 4.5.0-beta.1, < 4.5.11",
    "vendor": "mastodon",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER_CVE-2026-50129