CVE-2026-22245
📋 TL;DR
Mastodon's IP address filtering mechanism had incomplete coverage, allowing attackers to bypass protections against local network requests. This enables Server-Side Request Forgery (SSRF) attacks where Mastodon servers can be tricked into making HTTP requests to loopback or internal network addresses. All Mastodon instances running vulnerable versions are affected.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, retrieve credentials from metadata services, interact with internal APIs, or pivot to other internal systems.
Likely Case
Information disclosure from internal services, potential credential harvesting from local services, or interaction with unprotected internal APIs.
If Mitigated
Limited impact if internal services are properly firewalled, use authentication, or run on non-standard ports.
🎯 Exploit Status
Exploitation requires user interaction to process malicious URLs, but no authentication is needed for the SSRF attack itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.5.4, v4.4.11, v4.3.17, or v4.2.29
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to the patched version using your package manager or deployment method. 3. Restart Mastodon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict ALLOWED_PRIVATE_ADDRESSES
allLimit the ALLOWED_PRIVATE_ADDRESSES configuration to only necessary IP ranges
Edit .env.production or environment variables to restrict ALLOWED_PRIVATE_ADDRESSES
Network Segmentation
allImplement network controls to restrict Mastodon server's access to internal networks
Configure firewall rules to limit Mastodon's outbound connections
🧯 If You Can't Patch
- Implement strict network egress filtering to limit Mastodon's outbound connections
- Monitor for unusual outbound HTTP requests from Mastodon to internal IP ranges
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version against affected versions. Review logs for SSRF attempts to internal IPs.Check Version:
RAILS_ENV=production bundle exec rails -vVerify Fix Applied:
Verify Mastodon version is v4.5.4, v4.4.11, v4.3.17, or v4.2.29 or later. Test that local IP requests are properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to internal IP addresses from Mastodon
- Failed outbound connection attempts to localhost or private IP ranges
Network Indicators:
- Outbound HTTP requests from Mastodon server to 127.0.0.1, ::1, or private IP ranges
SIEM Query:
source="mastodon.logs" AND (dest_ip=127.0.0.1 OR dest_ip=::1 OR dest_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])🔗 References
- https://github.com/mastodon/mastodon/commit/0f4e8a6240b5af1f2c3f34d2793d8610c6ef2aca
- https://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3
- https://github.com/mastodon/mastodon/commit/71ae4cf2cf5138ccdda64b1b1d665849b688686d
- https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq
