Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking

Mastodon is an open-source self-hosted social networking service company that is maintained as a non-profit. The platform is similar to Twitter, with a lot more features, and is privacy-focused.

It works as a federated model with contributors from all over the world, and its repository rests on GitHub.

Mastodon was launched in 2016 by its creator Eugen Rochko. However, it gained extreme popularity only after the acquisition of Twitter by Elon Musk in 2022. The platform has 1.8 million active users, as posted d by its creator.

Image: Eugen Rochko posting about 1.8 million active users

Critical “TootRoot” Vulnerability

As per reports, Mastodon has recently fixed five high, moderate, and critical severity vulnerabilities which posed a potential threat to the platform. Most critical one of them was called “TootRoot” in which threat actors can create a backdoor on the servers by sending crafted media files.

These media files cause the media processing code to create arbitrary files on any location on the server. This functionality can be exploited by threat actors to create a web shell on the server that acts as a backdoor. 

An Individual security researcher Kevin Beaumont investigated this vulnerability and posted about the severity of this vulnerability. This vulnerability has the CVE as CVE-2023-36460.

Kevin Beaumont about CVE-2023-36460

Other Vulnerability Patches

In addition to this, four other vulnerabilities were patched which include, 

Few of these were found during penetration testing by the Cure53 team. The penetration testing was initiated by Mozilla.

These vulnerabilities need to be fixed from the server side hence, individual users don’t have any action to perform other than check if the servers are patched to the latest version.

These vulnerabilities are fixed in the 3.5.9, 4.0.5, and 4.1.3 versions of Mastodon.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.