Mastodon has issued a call to action for admins after a critical vulnerability was revealed, affecting the decentralized social network popular among former Twitter users. The severity score of the exploit, CVE-2024-23832, is 9.4, and it potentially allows attackers to remotely take over Mastodon accounts.

The CEO and lead developer at Mastodon, Eugen Rochko, stated that due to insufficient origin validation, attackers can impersonate and take over any remote account. Vulnerable versions include all Mastodon versions prior to 3.5.17, 4.0.x versions prior to 4.0.13, 4.1.x versions prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

Rochko plans to publish full details of the vulnerability on February 15 and has urged admins to upgrade to the latest version within two weeks. The decentralized nature of Mastodon means that each server must be individually updated by its respective administrators.

Despite the vulnerability, more than half of all active servers have already upgraded to the latest version, thanks to the rapid dissemination of the security advisory. This isn’t the first security issue for Mastodon, as the platform had to patch two critical bugs, CVE-2023-36460 and CVE-2023-36459, in July 2023. These bugs were reported by a German testing outfit and involved potential denial of service or remote code execution.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles