Mastodon :mastodon: security:

Additionally to the vulnerabilities discussed here [1], there are two other vulnerabilities fixed in Mastodon 2.5.2:

– nokogiri (1.8.5)
– XSS vulnerability

The remaining question: How many instances are vulnerable this time and remain vulnerable for weeks/months?


Five big instances (there are many more) are very likely vulnerable to all of the four vulnerabilities:

In total, they have more than 20,000 users.


According to, more than 1200 instances run Mastodon < 2.5.2.

So more than 60 % of instances showing their version number are possibly vulnerable.

There may be 1000s more since the majority of instances hide their version number.

@infosechandbook Well, this makes a strong case for eventually having a web based updater like Nextcloud has. "Security through convenience"!

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.