Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Metrics
Affected Vendors & Products
References
History
Thu, 25 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 25 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Joinmastodon
Joinmastodon mastodon |
|
| Vendors & Products |
Joinmastodon
Joinmastodon mastodon |
Wed, 24 Jun 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23. | |
| Title | Mastodon: SSRF protection bypass on older Ruby versions | |
| Weaknesses | CWE-184 CWE-200 CWE-918 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-24T19:41:21.150Z
Updated: 2026-06-25T15:40:38.972Z
Reserved: 2026-05-19T19:22:45.729Z
Link: CVE-2026-47389
Updated: 2026-06-25T15:40:33.799Z
No data.
No data.