Mastodon releases fix for critical “TootRoot” vulnerability allowing node hijacking

The maintainers of the Mastodon open-source software have released a security update to patch critical vulnerabilities that could allow hackers to backdoor content servers.

Mastodon software creates a social network with a federated model consisting of thousands of separate servers,

One of the critical bugs fixed, tracked as CVE-2023-36460, is described as an "arbitrary file creation through media attachments" flaw, enabling attackers to create and overwrite files on Mastodon's servers, leading to denial of service and arbitrary remote code execution.

Another critical vulnerability - CVE-2023-36459, could be used to enable arbitrary HTML injections into oEmbed preview cards that evade the HTML sanitization process of Mastodon and allow cross-site scripting payloads

Security researchesr coined the term "#TootRoot" to describe the vulnerability's potential to allow hackers to gain root access to instances and deploy webshells through malicious user posts called "toots."

Exploiting these vulnerabilities could enable attackers to cause harm to individual users and potentially disrupt the entire infrastructure. Although there are no known exploits, Mastodon has released patches based on recent penetration testing funded by the Mozilla Foundation.

The Thursday patch batch addressed five vulnerabilities in total, including an "XSS through oEmbed preview cards" flaw that allowed attackers to bypass HTML sanitization and inject arbitrary HTML code into oEmbed preview cards, potentially leading to cross-site scripting attacks.