A critical vulnerability named “TootRoot” has been discovered in Mastodon servers, allowing attackers to gain control over the servers and launch attacks against platform users. The severity of this security flaw, identified as CVE-2023-36460, has been rated at 9.9 out of 10. Mastodon has released an update to address the issue.
According to the vulnerability description, attackers can exploit specially crafted media files to create arbitrary files on the server, bypassing Mastodon’s media processing code. This enables them to overwrite or create files accessible to Mastodon, potentially leading to denial of service attacks and remote code execution. Mastodon has not provided further details regarding the vulnerability.
Security researcher Kevin Beaumont explained on Mastodon that the vulnerability allows an attacker to send a status message, which could be used to install a web shell on the Mastodon server. This would grant them persistent access to the server, enabling further malicious actions. For instance, attackers could send deceptive messages to users, prompting them to install an alleged “update.” The Federation estimates that over 24,000 Mastodon servers are connected to the internet.