Mastodon :mastodon: security:

Additionally to the vulnerabilities discussed here [1], there are two other vulnerabilities fixed in Mastodon 2.5.2:

– nokogiri (1.8.5)
– XSS vulnerability

The remaining question: How many instances are vulnerable this time and remain vulnerable for weeks/months?



According to, more than 1200 instances run Mastodon < 2.5.2.

So more than 60 % of instances showing their version number are possibly vulnerable.

There may be 1000s more since the majority of instances hide their version number.

Five big instances (there are many more) are very likely vulnerable to all of the four vulnerabilities:

In total, they have more than 20,000 users.

@infosechandbook Well, this makes a strong case for eventually having a web based updater like Nextcloud has. "Security through convenience"!

Sign in to participate in the conversation
Mastodon is open to all users and federates with most instances.

🇩🇪 🇦🇹 🇨🇭 ist offen für alle User und ist mit vielen anderen Instanzen verbunden.