Login Sign Up

CVE-2023-36461

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Mastodon allows malicious servers to perform slowloris-type attacks by extending HTTP response durations indefinitely. This can exhaust all Mastodon workers, making the server unresponsive. All Mastodon instances performing outgoing HTTP queries are affected.

💻 Affected Systems

Products:
  • Mastodon
Versions: All versions prior to 3.5.9, 4.0.5, and 4.1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances performing outgoing HTTP queries to external servers.

📦 What is this software?

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service denial where all Mastodon workers are kept busy indefinitely, rendering the instance completely unresponsive to legitimate users.

🟠

Likely Case

Degraded performance and intermittent unavailability as workers are tied up by malicious slow responses.

🟢

If Mitigated

Minimal impact with proper timeouts and worker monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires controlling a server that Mastodon queries, making it accessible to anyone who can set up a malicious server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.9, 4.0.5, or 4.1.3

Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories

Restart Required: Yes

Instructions:

1. Backup your Mastodon instance. 2. Update to version 3.5.9, 4.0.5, or 4.1.3 using your package manager or from source. 3. Restart Mastodon services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Rate limit outgoing HTTP requests

all

Implement rate limiting on outgoing HTTP queries to reduce impact of slowloris attacks

Configure in Mastodon's environment variables or reverse proxy settings

Monitor worker processes

linux

Set up monitoring for worker process health and implement automatic restarts

Use systemd or process manager to monitor and restart stuck workers

🧯 If You Can't Patch

  • Implement network-level protections like WAF with slowloris detection
  • Isolate Mastodon instance and restrict outgoing HTTP connections to trusted servers only

🔍 How to Verify

Check if Vulnerable:

Check Mastodon version against affected versions: prior to 3.5.9, 4.0.5, and 4.1.3

Check Version:

RAILS_ENV=production bundle exec rails --version

Verify Fix Applied:

Confirm version is 3.5.9, 4.0.5, or 4.1.3 or later

📡 Detection & Monitoring

Log Indicators:

  • Long-duration HTTP requests in logs
  • Worker process timeouts
  • Increased error rates for outgoing requests

Network Indicators:

  • Unusually slow HTTP responses from external servers
  • High number of concurrent connections to single external host

SIEM Query:

source="mastodon.logs" AND (http_duration > 30s OR error="timeout")

📊 Metadata

CVE ID: CVE-2023-36461
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: July 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36461, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)