Executive Summary

CVE-2026-47389 is a Server-Side Request Forgery (SSRF) vulnerability in Mastodon instances running on Ruby versions older than 3.4. The issue occurs because the method PrivateAddressCheck.private_address? incorrectly returns false for IPv4-mapped IPv6 addresses, which represent some private IPv4 addresses such as loopback, RFC1918 private networks, and link-local addresses.

An attacker who controls DNS for any domain can exploit this by publishing an AAAA record with such a mapped address. This causes Mastodon to make outbound HTTP requests to internal or cloud metadata endpoints that should normally be protected, such as 127.0.0.1 or 169.254.169.254.

This vulnerability is fixed in Mastodon versions 4.5.10, 4.4.17, and 4.3.23.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can lead to unauthorized information exposure by allowing attackers to make internal HTTP requests to sensitive endpoints such as cloud metadata services and internal management interfaces. Such exposure of sensitive data could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the flaw enables attackers to bypass SSRF protections and access internal resources, organizations using affected Mastodon versions may face increased risk of data breaches or unauthorized data access, which are critical compliance concerns under these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to make Mastodon perform HTTP requests to internal services or cloud metadata endpoints that are normally inaccessible from outside. This can lead to unauthorized exposure of sensitive information.

• Access to internal services such as Sidekiq UI or database ports.
• Exposure of cloud metadata endpoints like AWS IMDSv1 at 169.254.169.254 or Alibaba Cloud metadata at 100.100.100.200.

Because the attack is network-based and requires no privileges or user interaction, it poses a high risk to affected Mastodon instances.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Mastodon making outbound HTTP requests to IPv4-mapped IPv6 addresses that correspond to private or sensitive internal IPs due to improper SSRF protections.

To detect exploitation attempts or presence of this vulnerability on your system or network, you can monitor outbound HTTP requests from your Mastodon instance, especially those targeting IPv6 addresses in the ::ffff:a.b.c.d format that map to private IPv4 addresses such as 127.0.0.1, RFC1918 ranges, or cloud metadata IPs like 169.254.169.254.

Suggested commands include:

• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound HTTP traffic from the Mastodon server and filter for IPv6 addresses starting with ::ffff:
• Example tcpdump command: sudo tcpdump -i <interface> 'tcp and dst port 80 or 443 and ip6[0:2] == 0x0000' (adjust filter to capture ::ffff:a.b.c.d mapped addresses)
• Check Mastodon logs for outbound HTTP fetches to suspicious hostnames or IP addresses that resolve to IPv4-mapped IPv6 addresses.
• Use DNS query logs or tools to identify if any DNS AAAA records resolve to IPv4-mapped IPv6 addresses corresponding to private networks.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade your Mastodon instance to a patched version where this vulnerability is fixed.

• Upgrade Mastodon to version 4.5.10, 4.4.17, or 4.3.23 or later, which include the fix for this SSRF vulnerability.
• Ensure your Ruby version is 3.4 or newer, as older Ruby versions have the flawed PrivateAddressCheck.private_address? behavior.
• If immediate upgrade is not possible, consider restricting outbound HTTP requests from the Mastodon server to prevent connections to internal IP ranges and cloud metadata endpoints.
• Implement network-level controls such as firewall rules to block outbound traffic to sensitive IP addresses like 127.0.0.1, 169.254.169.254, and other private network ranges.

Useful 0 Not Useful 0