Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22245

CVE-2026-22245: Mastodon SSRF Vulnerability

CVE-2026-22245 is an SSRF vulnerability in Mastodon that allows attackers to bypass IP filtering and access local network resources. This article covers the technical details, affected versions, and mitigation steps.

Updated:

CVE-2026-22245 Overview

CVE-2026-22245 is a Server-Side Request Forgery (SSRF) vulnerability in Mastodon, the free and open-source social network server based on ActivityPub. The vulnerability stems from an incomplete blocklist of private IP address ranges in Mastodon's outbound request protection mechanism. While Mastodon implements safeguards to prevent requests to local IP addresses (unless explicitly allowed via ALLOWED_PRIVATE_ADDRESSES), certain IP address ranges were inadvertently omitted from the blocklist, creating an avenue for attackers to bypass these protections.

Critical Impact

Authenticated attackers can exploit this SSRF vulnerability to make Mastodon perform HTTP requests against loopback or local network hosts, potentially gaining access to otherwise private resources, internal services, and sensitive data within the server's network environment.

Affected Products

  • Mastodon versions prior to v4.5.4
  • Mastodon versions prior to v4.4.11
  • Mastodon versions prior to v4.3.17
  • Mastodon versions prior to v4.2.29

Discovery Timeline

  • 2026-01-08 - CVE-2026-22245 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-22245

Vulnerability Analysis

This vulnerability is classified as CWE-918 (Server-Side Request Forgery). Mastodon, by design, performs numerous outbound HTTP requests to user-provided domains as part of its ActivityPub federation functionality. To mitigate the "confused deputy" problem—where the server can be tricked into making requests on behalf of an attacker—Mastodon implements a private address check mechanism.

The flaw exists in the PrivateAddressCheck module located in app/lib/private_address_check.rb. The original implementation maintained a single CIDR_LIST that was intended to block requests to private and reserved IP address ranges. However, this list was incomplete, missing certain IP address ranges that could resolve to or be used to reach local network resources.

An attacker with a low-privileged authenticated account can craft requests containing IP addresses from the unblocked ranges, causing Mastodon's server to initiate HTTP connections to internal services that should be inaccessible from the public internet.

Root Cause

The root cause is an incomplete allowlist/blocklist implementation in the private address checking mechanism. The original CIDR_LIST constant did not comprehensively cover all IP address ranges that could be used to access local or loopback addresses. The fix refactors this into separate IP4_CIDR_LIST and potentially IPv6-specific lists to ensure complete coverage of all private, reserved, and special-purpose IP address ranges across both IP versions.

Attack Vector

The attack requires network access and low-level authentication (a valid Mastodon account). An attacker can:

  1. Identify IP addresses in ranges not covered by the blocklist
  2. Craft requests through Mastodon features that trigger outbound HTTP requests (such as URL preview fetching or remote user lookups)
  3. Target internal services running on the Mastodon server or accessible from its network position
  4. Potentially access cloud metadata endpoints, internal APIs, or other sensitive resources
ruby
# Security patch in app/lib/private_address_check.rb
# Source: https://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3

 # frozen_string_literal: true
 
 module PrivateAddressCheck
-  module_function
-
-  CIDR_LIST = [
+  IP4_CIDR_LIST = [
     IPAddr.new('0.0.0.0/8'),       # Current network (only valid as source address)
     IPAddr.new('100.64.0.0/10'),   # Shared Address Space
     IPAddr.new('172.16.0.0/12'),   # Private network

Source: GitHub Commit Fix

Detection Methods for CVE-2026-22245

Indicators of Compromise

  • Unusual outbound HTTP requests from Mastodon server to internal IP ranges (e.g., 127.x.x.x, 10.x.x.x, 192.168.x.x, 169.254.x.x)
  • Access logs showing requests to cloud metadata endpoints (e.g., 169.254.169.254)
  • Unexpected connections to internal services from the Mastodon application process
  • Error logs indicating failed connections to local network services

Detection Strategies

  • Monitor outbound network traffic from Mastodon servers for connections to RFC 1918 private address ranges and link-local addresses
  • Implement egress filtering rules with logging to detect SSRF attempts targeting internal infrastructure
  • Review Mastodon application logs for suspicious URL fetching activities involving non-public IP addresses
  • Deploy network intrusion detection signatures for SSRF patterns in ActivityPub-related requests

Monitoring Recommendations

  • Configure alerting for any outbound connections from Mastodon servers to internal network segments
  • Implement rate limiting and logging on internal services that could be targeted via SSRF
  • Monitor cloud metadata service access logs for unauthorized queries originating from Mastodon instances
  • Establish baseline network behavior for Mastodon servers to identify anomalous outbound request patterns

How to Mitigate CVE-2026-22245

Immediate Actions Required

  • Upgrade Mastodon to the patched versions immediately: v4.5.4, v4.4.11, v4.3.17, or v4.2.29 depending on your version branch
  • Review network segmentation to limit the Mastodon server's access to internal resources
  • Audit the ALLOWED_PRIVATE_ADDRESSES configuration to ensure only necessary addresses are permitted
  • Implement egress filtering at the network level as defense-in-depth

Patch Information

Mastodon has released security patches across all supported version branches. The fix refactors the private address checking module to provide comprehensive coverage of all private and reserved IP address ranges. Relevant commits and security advisory are available:

Workarounds

  • Implement network-level egress filtering to block the Mastodon server from connecting to private IP ranges
  • Deploy a web application firewall (WAF) or proxy that validates and filters outbound requests from the Mastodon application
  • Use network segmentation to isolate the Mastodon server from sensitive internal services
  • Review and restrict the ALLOWED_PRIVATE_ADDRESSES environment variable if it has been configured
bash
# Example iptables egress filtering for Mastodon server
# Block outbound connections to private/reserved IP ranges

# Block RFC 1918 private ranges
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

# Block loopback (except localhost communication)
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP

# Block link-local and cloud metadata endpoints
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP

# Block shared address space
iptables -A OUTPUT -d 100.64.0.0/10 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne