Popular decentralised social network Mastodon has released a security upgrade to address serious flaws that put millions of users at risk of assault. Mastodon is well recognised for its federated model, which consists of tens of thousands of distinct servers referred to as “instances,” and it has over 14 million members spread among more than 20,000 instances.
The most serious vulnerability, CVE-2023-36460, allowed attackers to create and overwrite files in any location the software may access on an instance by taking advantage of a hole in the media attachments capability. Users and the larger Internet ecosystem could be seriously endangered by DoS and arbitrary remote code execution attacks that take advantage of this software vulnerability.