CVE-2023-36460 Overview
CVE-2023-36460 is a critical Path Traversal vulnerability affecting Mastodon, the free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers can exploit the media processing functionality using carefully crafted media files to create arbitrary files at any location on the server. This vulnerability enables attackers to create and overwrite any file that the Mastodon process has access to, leading to Denial of Service conditions and arbitrary Remote Code Execution.
Critical Impact
This vulnerability allows remote attackers to achieve arbitrary file creation and overwrite capabilities, enabling full Remote Code Execution on vulnerable Mastodon instances through malicious media file uploads.
Affected Products
- Mastodon versions 3.5.0 through 3.5.8
- Mastodon versions 4.0.0 through 4.0.4
- Mastodon versions 4.1.0 through 4.1.2
Discovery Timeline
- 2023-07-06 - CVE-2023-36460 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-36460
Vulnerability Analysis
The vulnerability resides in Mastodon's media processing pipeline, specifically within the Attachmentable concern that handles file attachments. The flaw allows attackers to craft malicious media files that bypass validation checks, enabling arbitrary file creation through path traversal techniques. When Mastodon processes the uploaded media, insufficient sanitization of file paths allows attackers to write files outside the intended upload directory.
The vulnerability is classified as CWE-22 (Path Traversal), where improper limitation of pathnames allows attackers to access or modify files outside restricted directories. Since Mastodon runs as a web service with specific file system permissions, an attacker can leverage this to overwrite configuration files, inject malicious code into executable paths, or disrupt service availability.
Root Cause
The root cause lies in the media attachment processing flow, where file name obfuscation and content type validation occurred after the file was already positioned for processing. The vulnerable code in app/models/concerns/attachmentable.rb processed files using before_post_process callbacks, which executed validation steps too late in the pipeline. This timing issue allowed specially crafted filenames to bypass security controls and write to arbitrary locations.
Attack Vector
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network. The attack requires no user interaction and can impact resources beyond the vulnerable component's security scope. The attacker uploads a specially crafted media file containing path traversal sequences in the filename metadata. When Mastodon's media processing pipeline handles this file, it creates or overwrites files at attacker-controlled locations.
The security patch addresses this by moving validation to an earlier callback:
included do
def self.has_attached_file(name, options = {}) # rubocop:disable Naming/PredicateName
- options = { validate_media_type: false }.merge(options)
super(name, options)
- send(:"before_#{name}_post_process") do
+
+ send(:"before_#{name}_validate") do
attachment = send(name)
check_image_dimension(attachment)
set_file_content_type(attachment)
obfuscate_file_name(attachment)
set_file_extension(attachment)
- Paperclip::Validators::MediaTypeSpoofDetectionValidator.new(attributes: [name]).validate(self)
end
end
end
Source: GitHub Mastodon Commit
The fix also introduces enhanced media type spoof detection:
require_relative '../lib/paperclip/attachment_extensions'
require_relative '../lib/paperclip/lazy_thumbnail'
require_relative '../lib/paperclip/gif_transcoder'
+require_relative '../lib/paperclip/media_type_spoof_detector_extensions'
require_relative '../lib/paperclip/transcoder'
require_relative '../lib/paperclip/type_corrector'
require_relative '../lib/paperclip/response_with_limit_adapter'
Source: GitHub Mastodon Commit
Detection Methods for CVE-2023-36460
Indicators of Compromise
- Unexpected file creation or modification in Mastodon's system directories outside the standard upload paths
- Media upload requests containing path traversal sequences such as ../ or encoded variants in filenames
- Anomalous file system activity by the Mastodon Ruby process writing to non-standard locations
- New or modified files in configuration directories, cron paths, or other sensitive system locations
Detection Strategies
- Monitor web server access logs for media upload requests with suspicious filename patterns containing traversal sequences
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
- Configure application-level logging to capture media processing operations and flag unusual file path patterns
- Deploy web application firewall rules to detect and block path traversal patterns in multipart form uploads
Monitoring Recommendations
- Enable verbose logging for the Paperclip attachment processing module in Mastodon
- Set up alerts for file system events outside expected media storage directories attributed to the Mastodon process
- Monitor for signs of Remote Code Execution such as unexpected process spawning or outbound network connections from the Mastodon server
- Review media upload queues for files with suspicious metadata or naming conventions
How to Mitigate CVE-2023-36460
Immediate Actions Required
- Upgrade Mastodon immediately to version 3.5.9, 4.0.5, or 4.1.3 depending on your current version branch
- Review server file systems for signs of unauthorized file creation or modification that may indicate prior exploitation
- Temporarily restrict media upload capabilities if immediate patching is not possible
- Implement network-level controls to limit access to media upload endpoints while patching is underway
Patch Information
The Mastodon development team has released security patches addressing this vulnerability. The fix moves validation callbacks to execute during the before_validate phase rather than before_post_process, ensuring that file path sanitization and content type validation occur before any file system operations. Additionally, enhanced media type spoof detection has been added to the attachment processing pipeline.
Patched versions are available:
- Version 3.5.9 for the 3.5.x branch
- Version 4.0.5 for the 4.0.x branch
- Version 4.1.3 for the 4.1.x branch
For technical details, see the GitHub Security Advisory GHSA-9928-3cp5-93fm.
Workarounds
- Disable media uploads temporarily by configuring Mastodon to reject all attachment submissions until patching is complete
- Implement strict file system permissions to limit the directories writable by the Mastodon process
- Deploy a reverse proxy or WAF rule to filter requests containing path traversal patterns in upload endpoints
- Run Mastodon in a containerized environment with restricted filesystem access to limit potential impact
# Example: Restrict Mastodon process write permissions using systemd hardening
# Add to Mastodon service unit file
[Service]
ReadWritePaths=/opt/mastodon/public/system
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
