CVE-2026-47389 | Mastodon is a free, open-source social network server based … | CVSS 8.6 HIGH

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.

Metadata

CVE ID: CVE-2026-47389
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-19 19:22 UTC
Published: 2026-06-24 19:41 UTC
Last updated: 2026-06-24 19:41 UTC
Primary CWE: CWE-184
CWE-184: Incomplete List of Disallowed Inputs
Vendor / Product: mastodon / mastodon
Sources: cve.org · NVD

Severity & Metrics

8.6 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
mastodon	mastodon	—	>= 4.5.0-beta.1, < 4.5.10

Weakness (CWE)

CWE	Source	Description
CWE-184	cna	CWE-184: Incomplete List of Disallowed Inputs
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.6	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References (1)

https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6 https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6