CVE-2026-23963
📋 TL;DR
Mastodon servers prior to patched versions allow users to set arbitrarily long names for lists/filters and filter keywords, enabling resource exhaustion attacks. Any authenticated user can exploit this to consume excessive storage and computing resources, potentially degrading server performance. Self-inflicted denial-of-service is also possible if users set extremely long values.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could create numerous lists/filters with extremely long names/keywords, exhausting server storage and memory resources, causing service degradation or denial-of-service for all users.
Likely Case
Individual users accidentally or intentionally setting very long names that consume disproportionate resources, potentially slowing down their own interface and affecting server performance.
If Mitigated
With proper input validation and length limits, only legitimate list/filter names are allowed, preventing resource exhaustion attacks.
🎯 Exploit Status
Exploitation requires authenticated user access but is trivial to execute via API or web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.5.5, v4.4.12, or v4.3.18
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to v4.5.5, v4.4.12, or v4.3.18 using your preferred update method. 3. Restart Mastodon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate limit list/filter creation
allImplement rate limiting on list and filter creation endpoints to limit potential abuse.
Configure rate limiting in your reverse proxy (nginx/apache) or application firewall
Monitor for abnormal list/filter creation
allSet up monitoring for unusually frequent list/filter creation or large payload sizes.
Set up log monitoring for POST requests to /api/v1/lists and /api/v1/filters endpoints
🧯 If You Can't Patch
- Implement strict input validation at the web application firewall level to reject list/filter names exceeding reasonable length (e.g., 255 characters).
- Monitor server resource usage and set up alerts for abnormal memory/storage consumption patterns.
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version via admin interface or by examining the application version file. If version is earlier than v4.5.5, v4.4.12, or v4.3.18, the instance is vulnerable.Check Version:
Check RAILS_ENV=production bundle exec rake mastodon:version or examine the Mastodon admin interface.Verify Fix Applied:
After patching, verify the version shows v4.5.5, v4.4.12, or v4.3.18. Test creating a list/filter with extremely long name (>1000 characters) - should be rejected.📡 Detection & Monitoring
Log Indicators:
- Unusually long POST request bodies to list/filter creation endpoints
- Multiple rapid list/filter creation requests from single user accounts
- Increased memory/storage usage alerts
Network Indicators:
- Large HTTP POST requests to /api/v1/lists or /api/v1/filters endpoints
- Increased response times for list/filter related operations
SIEM Query:
source="mastodon.logs" AND (uri_path="/api/v1/lists" OR uri_path="/api/v1/filters") AND request_size>10000