CVE-2026-25540
Unknown Unknown - Not Provided
Web Cache Poisoning in Mastodon ActivityPub Endpoints

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-05-27
AI Q&A
2026-02-05
EPSS Evaluated
2026-05-25
NVD
CVE-2026-25540
EUVD
EUVD-2026-5329
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joinmastodon mastodon to 4.3.19 (exc)
joinmastodon mastodon From 4.4.0 (inc) to 4.4.13 (exc)
joinmastodon mastodon From 4.5.0 (inc) to 4.5.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Mastodon, an open-source social network server. Before certain fixed versions, Mastodon’s caching mechanism for ActivityPub endpoints could serve cached content based on the account that signed the HTTP request without properly isolating cache entries per user. Specifically, when AUTHORIZED_FETCH is enabled, responses for pinned posts and featured hashtags depend on the requesting account, but the cache does not differentiate between different users.

As a result, cached responses intended for one user (such as an empty response for a blocked user) could be served to other users (including legitimate non-blocked users), or vice versa. This is known as web cache poisoning and can cause incorrect or unintended content to be delivered to users.


How can this vulnerability impact me? :

This vulnerability can lead to users receiving incorrect or unintended content. For example, a legitimate user might receive an empty response if the cache was poisoned by a blocked user's request, or a blocked user might see content meant only for non-blocked users.

Such behavior can cause confusion, degrade user experience, and potentially expose information inconsistently. It may also undermine trust in the platform's content delivery and user access controls.

The vulnerability has a CVSS base score of 6.5, indicating a medium severity with impacts on confidentiality and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Mastodon to one of the patched versions: 4.3.19, 4.4.13, or 4.5.6.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart