{"id":"CVE-2023-42450","summary":"Mastodon Server-Side Request Forgery vulnerability","details":"Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.","aliases":["BIT-mastodon-2023-42450","GHSA-hcqf-fw2r-52g4"],"modified":"2026-04-10T05:01:57.903360Z","published":"2023-09-19T15:53:39.685Z","database_specific":{"cwe_ids":["CWE-113","CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42450.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42450.json"},{"type":"ADVISORY","url":"https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42450"},{"type":"FIX","url":"https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mastodon/mastodon","events":[{"introduced":"dab54ccbba3721382241725bb1c1159d24b5aab2"},{"fixed":"f4b780ba22d0256770766185cee5f8fcc5585c95"}]}],"versions":["v4.2.0-beta1","v4.2.0-beta2","v4.2.0-beta3","v4.2.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42450.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/tootsuite/mastodon","events":[{"introduced":"0"},{"last_affected":"dab54ccbba3721382241725bb1c1159d24b5aab2"},{"introduced":"0"},{"last_affected":"facfec1ba36cee27f232ebff90b990933719235a"},{"introduced":"0"},{"last_affected":"f80f426c57d5a5e1d289372ef7c323741d27c768"},{"introduced":"0"},{"last_affected":"b90383d07388fe8513e59a6deb1a2391146c6561"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.2.0-beta1"},{"introduced":"0"},{"last_affected":"4.2.0-beta2"},{"introduced":"0"},{"last_affected":"4.2.0-beta3"},{"introduced":"0"},{"last_affected":"4.2.0-rc1"}]}}],"versions":["v0.1.0","v0.1.1","v0.1.2","v0.6","v0.7","v0.8","v0.9","v0.9.9","v1.0","v1.1","v1.1.1","v1.1.2","v1.2","v1.2.1","v1.2.2","v1.3","v1.3.1","v1.3.2","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4rc1","v1.4rc2","v1.4rc3","v1.4rc4","v1.4rc5","v1.4rc6","v1.5.0","v1.5.0rc1","v1.5.0rc2","v1.5.0rc3","v1.5.1","v1.6.0","v1.6.0rc1","v1.6.0rc2","v1.6.0rc3","v1.6.0rc4","v1.6.0rc5","v1.6.1","v2.0.0","v2.0.0rc1","v2.0.0rc2","v2.0.0rc3","v2.0.0rc4","v2.1.0","v2.1.0rc1","v2.1.0rc2","v2.1.0rc3","v2.1.0rc4","v2.1.0rc5","v2.1.0rc6","v2.1.1","v2.1.2","v2.1.3","v2.2.0","v2.2.0rc1","v2.2.0rc2","v2.3.0","v2.3.0rc1","v2.3.0rc2","v2.3.0rc3","v2.3.1","v2.3.1rc1","v2.3.1rc2","v2.3.1rc3","v2.3.2","v2.3.2rc1","v2.3.2rc2","v2.3.2rc3","v2.3.2rc4","v2.3.2rc5","v2.4.0","v2.4.0rc1","v2.4.0rc2","v2.4.0rc3","v2.4.0rc4","v2.4.0rc5","v2.4.1","v2.4.1rc1","v2.4.1rc2","v2.4.1rc3","v2.4.1rc4","v2.4.2","v2.4.2rc1","v2.4.2rc2","v2.4.2rc3","v2.4.3","v2.4.3rc1","v2.4.3rc2","v2.4.3rc3","v2.5.0","v2.5.0rc1","v2.5.0rc2","v2.6.0","v2.6.0rc1","v2.6.0rc2","v2.6.0rc3","v2.6.0rc4","v2.6.1","v2.7.0","v2.7.0rc1","v2.7.0rc2","v2.7.0rc3","v2.7.1","v2.8.0","v2.8.0rc1","v2.8.0rc2","v2.8.0rc3","v2.8.1","v2.8.2","v2.9.0","v2.9.0rc1","v2.9.0rc2","v2.9.1","v2.9.2","v3.0.0","v3.0.0rc1","v3.0.0rc2","v3.0.0rc3","v3.0.1","v3.1.0","v3.1.0rc1","v3.1.0rc2","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.2.0","v3.2.0rc1","v3.2.0rc2","v3.3.0","v3.3.0rc1","v3.3.0rc2","v3.3.0rc3","v3.4.0","v3.4.0rc1","v3.4.0rc2","v3.4.1","v3.5.0","v3.5.0rc1","v3.5.0rc2","v3.5.0rc3","v3.5.1","v3.5.2","v3.5.3","v4.0.0","v4.0.0rc1","v4.0.0rc2","v4.0.0rc3","v4.0.0rc4","v4.0.1","v4.0.2","v4.1.0","v4.1.0rc1","v4.1.0rc2","v4.1.0rc3","v4.2.0-beta1","v4.2.0-beta2","v4.2.0-beta3","v4.2.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42450.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}