Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, including a critical one that allows hackers to create arbitrary files on the server using specially crafted media files.

Mastodon has about 8.8 million users spread across 13,000 separate servers (instances) hosted by volunteers to support separate but interconnected (federated) communities.

All the four problems solved were discovered by independent auditors from Cure53, a company that provides penetration testing for online services. Auditors inspected Mastodon’s code at Mozilla’s request.

The most severe of the vulnerabilities is tracked as CVE-2023-36460 and was named TootRoot. It offers attackers a particularly easy way to compromise target servers.

CVE-2023-36460 is an issue in Mastodon’s media processing code that allows media files to be used on toots (the equivalent of tweets) to cause a range of issues, from denial of service (DoS) to arbitrary remote code execution.

Although Mastodon Security Bulletin is laconic, security researcher Kevin Beaumont highlighted the risks associated with TootRoot, saying that a toot can be used to plant backdoors on servers that serve content to Mastodon users.

Such a compromise would give attackers unlimited control over the server and the data it hosts and manages, and would extend to sensitive user information.

The second critical gravity flaw is CVE-2023-36459cross-site scripting (XSS) on oEmbed preview cards used in Mastodon that allows bypassing HTML sanitization on the target browser.

Attacks taking advantage of this flaw could be used for account takeover, user impersonation, or access to sensitive data.

The other two vulnerabilities addressed by Mastodon are CVE-2023-36461a high-severity DoS flaw due to slow HTTP responses, and CVE-2023-36462also rated with high severity which allows an attacker to format a verified profile link in a deceptive way that can be used for phishing.

The four vulnerabilities affect all versions of Mastodon from 3.5.0 and have been fixed in versions 3.5.9, 4.0.5 and 4.1.3.

Patches are server security updates and should be applied by administrators to remove the risk to their communities.