CVE-2026-50129
Deferred Deferred - Pending Action

Denial of Service in Mastodon Due to Uncaught Math Sanitizer Exception

Vulnerability report for CVE-2026-50129, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mastodon mastodon to 4.5.11 (inc)
mastodon mastodon 4.5.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. It is caused by missing exception handling in the math sanitizer component. Specifically, malformed <math> nodes can trigger an uncaught exception, which leads to a denial of service (DoS). This means that either the entire server or specific user services can be disrupted depending on how the malformed nodes are processed.

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition. Attackers can exploit malformed <math> nodes to cause the Mastodon server or targeted user services to become unavailable. This can disrupt normal operations and prevent users from accessing the social network services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Mastodon server to one of the fixed versions: 4.5.11, 4.4.18, or 4.3.24.

This update addresses the uncaught exception vulnerability in the math sanitizer that can cause a denial of service.

Compliance Impact

The vulnerability is a Denial of Service (DoS) issue that impacts system availability by causing Mastodon servers or specific user services to become unavailable. While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, a DoS affecting availability could potentially impact compliance with regulations that require maintaining service availability and reliability.

However, there is no direct information provided about data confidentiality, integrity, or privacy breaches related to this vulnerability, which are often critical factors in GDPR and HIPAA compliance.

Detection Guidance

The vulnerability in Mastodon (CVE-2026-50129) is triggered by malformed <math> nodes causing unhandled exceptions in the math sanitizer, leading to Denial of Service (DoS). Detection involves monitoring for error logs related to NoMethodError exceptions in the MATH_TRANSFORMER component or unusual service disruptions affecting timelines, RSS feeds, or user views.

Since the vulnerability is triggered by malformed content, one practical detection method is to check the Mastodon server logs for repeated errors or crashes related to math sanitizer processing.

Suggested commands to help detect potential exploitation or presence of the vulnerability include:

  • Use grep to search Mastodon logs for NoMethodError or math sanitizer related errors, e.g.:
  • grep -i 'NoMethodError' /path/to/mastodon/log/production.log
  • grep -i 'math sanitizer' /path/to/mastodon/log/production.log
  • Monitor system resource usage for spikes or crashes in Mastodon processes, e.g.:
  • top or htop to observe CPU and memory usage
  • Check for service restarts or failures in system logs, e.g.:
  • journalctl -u mastodon-web.service

Additionally, verifying the Mastodon version against the fixed versions (4.5.11, 4.4.18, 4.3.24) can help determine if the system is vulnerable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart