CVE-2023-36459
📋 TL;DR
This vulnerability allows attackers to inject arbitrary HTML into Mastodon oEmbed preview cards by bypassing HTML sanitization. When users click on malicious links with crafted oEmbed data, cross-site scripting (XSS) payloads can execute in their browsers. All Mastodon instances running affected versions are vulnerable.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user sessions, perform account takeovers, spread malware, or conduct phishing attacks by executing arbitrary JavaScript in victims' browsers.
Likely Case
Attackers will craft malicious links that, when shared, execute XSS payloads to steal session cookies or perform actions on behalf of logged-in users.
If Mitigated
With proper Content Security Policy (CSP) headers and other browser security controls, impact may be limited to specific browser contexts.
🎯 Exploit Status
The vulnerability is in public disclosure with technical details available. Crafting malicious oEmbed data requires understanding of the bypass technique but is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.9, 4.0.5, or 4.1.3
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-xxxx-xxxx-xxxx
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to version 3.5.9, 4.0.5, or 4.1.3 using your package manager or from source. 3. Restart Mastodon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable oEmbed Previews
allTemporarily disable oEmbed link previews to prevent exploitation while patching
Set `OEMBED_ENABLED=false` in Mastodon environment configuration
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit XSS impact
- Monitor for suspicious oEmbed data patterns and block malicious domains
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version against affected ranges: 1.3-3.5.8, 4.0.0-4.0.4, 4.1.0-4.1.2Check Version:
For Docker: `docker exec mastodon_web bundle exec rails runner 'puts Mastodon::Version.to_s'` | For source: check `Gemfile.lock` for mastodon versionVerify Fix Applied:
Verify version is 3.5.9, 4.0.5, or 4.1.3 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual oEmbed requests with HTML/JavaScript payloads
- Multiple failed oEmbed parsing attempts
Network Indicators:
- Requests to known malicious domains in oEmbed data
- Unusual outbound connections after clicking links
SIEM Query:
source="mastodon" AND (oembed OR preview) AND (html OR script OR javascript)🔗 References
- http://www.openwall.com/lists/oss-security/2023/07/06/5
- https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2
- https://github.com/mastodon/mastodon/releases/tag/v3.5.9
- https://github.com/mastodon/mastodon/releases/tag/v4.0.5
- https://github.com/mastodon/mastodon/releases/tag/v4.1.3
- https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp
- http://www.openwall.com/lists/oss-security/2023/07/06/5
- https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2
- https://github.com/mastodon/mastodon/releases/tag/v3.5.9
- https://github.com/mastodon/mastodon/releases/tag/v4.0.5
- https://github.com/mastodon/mastodon/releases/tag/v4.1.3
- https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp
