Mastodon has issued a call to action for admins after a critical vulnerability was revealed, affecting the decentralized social network popular among former Twitter users. The severity score of the exploit, CVE-2024-23832, is 9.4, and it potentially allows attackers to remotely take over Mastodon accounts.
The CEO and lead developer at Mastodon, Eugen Rochko, stated that due to insufficient origin validation, attackers can impersonate and take over any remote account. Vulnerable versions include all Mastodon versions prior to 3.5.17, 4.0.x versions prior to 4.0.13, 4.1.x versions prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Rochko plans to publish full details of the vulnerability on February 15 and has urged admins to upgrade to the latest version within two weeks. The decentralized nature of Mastodon means that each server must be individually updated by its respective administrators.
Despite the vulnerability, more than half of all active servers have already upgraded to the latest version, thanks to the rapid dissemination of the security advisory. This isn’t the first security issue for Mastodon, as the platform had to patch two critical bugs, CVE-2023-36460 and CVE-2023-36459, in July 2023. These bugs were reported by a German testing outfit and involved potential denial of service or remote code execution.