CVE-2026-25540
📋 TL;DR
Mastodon servers with AUTHORIZED_FETCH enabled are vulnerable to web cache poisoning where ActivityPub endpoints for pinned posts and featured hashtags incorrectly reuse cached responses regardless of the requesting actor. This allows blocked users to potentially see content intended for non-blocked users, or legitimate users to receive empty responses. The vulnerability affects Mastodon instances running vulnerable versions with AUTHORIZED_FETCH enabled.
💻 Affected Systems
- Mastodon
📦 What is this software?
Mastodon by Joinmastodon
Mastodon by Joinmastodon
Mastodon by Joinmastodon
⚠️ Risk & Real-World Impact
Worst Case
Blocked malicious actors could view sensitive pinned posts or featured hashtags from targeted accounts, potentially exposing private information or organizational details.
Likely Case
Cache inconsistencies cause blocked users to see content they shouldn't, or legitimate users to receive empty responses for pinned/featured content, disrupting normal social network functionality.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary cache inconsistencies affecting only pinned posts and featured hashtags endpoints.
🎯 Exploit Status
Exploitation requires understanding of Mastodon's ActivityPub implementation and cache behavior, plus access to both blocked and non-blocked accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.19, 4.4.13, or 4.5.6
Vendor Advisory: https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr
Restart Required: Yes
Instructions:
1. Backup your Mastodon instance. 2. Update to version 4.3.19, 4.4.13, or 4.5.6 depending on your current major version. 3. Restart the Mastodon services. 4. Clear Rails cache: `Rails.cache.clear`
🔧 Temporary Workarounds
Disable AUTHORIZED_FETCH
allTemporarily disable the AUTHORIZED_FETCH feature to eliminate the vulnerability until patching is possible.
Set AUTHORIZED_FETCH=false in your Mastodon .env.production file
Clear Rails Cache Regularly
linuxFrequently clear the Rails cache to reduce the window for cache poisoning attacks.
Rails.cache.clear
sudo -u mastodon bundle exec rails cache:clear RAILS_ENV=production
🧯 If You Can't Patch
- Disable AUTHORIZED_FETCH configuration immediately
- Implement strict monitoring of ActivityPub endpoints and cache behavior
🔍 How to Verify
Check if Vulnerable:
Check Mastodon version and AUTHORIZED_FETCH setting: 1. Run `RAILS_ENV=production bundle exec rails about` to check version. 2. Check .env.production for AUTHORIZED_FETCH=true. If version is below 4.3.19/4.4.13/4.5.6 and AUTHORIZED_FETCH is enabled, you are vulnerable.Check Version:
RAILS_ENV=production bundle exec rails about | grep 'Mastodon'Verify Fix Applied:
1. Confirm version is 4.3.19, 4.4.13, or 4.5.6 via `RAILS_ENV=production bundle exec rails about`. 2. Test that blocked and non-blocked users receive appropriate responses from pinned posts and featured hashtags endpoints.📡 Detection & Monitoring
Log Indicators:
- Unusual cache hits/misses on ActivityPub endpoints
- Multiple requests to /api/v1/accounts/*/pinned or /api/v1/accounts/*/featured_tags from same IP with different auth
Network Indicators:
- Repeated ActivityPub requests for pinned/featured content with varying authentication headers
SIEM Query:
source="mastodon.log" AND ("pinned" OR "featured_tags") AND cache AND (blocked OR auth)