CVE-2026-47389
Published:June 24, 2026
Updated:June 29, 2026
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
Affected Packages
https://github.com/mastodon/mastodon.git (GITHUB):
Affected version(s) >=v0.1.0 <v4.5.10Fix Suggestion:
Update to version v4.5.10https://github.com/mastodon/mastodon.git (GITHUB):
Affected version(s) >=v4.4.0 <v4.4.17Fix Suggestion:
Update to version v4.4.17https://github.com/mastodon/mastodon.git (GITHUB):
Affected version(s) >=v4.3.0 <v4.3.23Fix Suggestion:
Update to version v4.3.23Related Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
0.23