In this long read, we're exploring CVE-2022-24307, a critical vulnerability in Mastodon — the popular, decentralized social networking platform. This bug exposes Mastodon instances running versions before 3.3.2 and 3.4.x before 3.4.6 to unauthorized actions due to wrong access controls when handling signed JSON-LD activities.
If you’re a Mastodon admin or hobbyist, understanding this vulnerability is key to securing your server and users from possible abuse.
> Original advisory:
> CVE-2022-24307 - NVD Details
> GitHub Mastodon Advisory
> Mastodon Release Notes
Background: What Happened?
Mastodon is based on ActivityPub and handles activities via JSON-LD (JSON for Linked Data). Since version 1.6., Mastodon supports JSON-LD signatures. The compact operation in JSON-LD squashes and normalizes incoming data, making sure different contexts are mapped to common semantics.
Failing to compact before validating the signature or handling access checks can result in authorization bypass – and that’s what happened here.
The Vulnerability
If you send an ActivityPub *activity* to a vulnerable Mastodon server and you craft the JSON-LD context cleverly, you may bypass access control and perform actions on behalf of other users.
The root issue?
About JSON-LD Compaction
In JSON-LD, @context lets an activity define what terms mean. If you skip the compaction step, you may treat activity data in a different way based on how @context is set. For ActivityPub, that's a big deal.
Here's pseudo-code to illustrate what went wrong
# Vulnerable code pattern (simplified)
def handle_incoming_activity(json)
# Directly check attributes WITHOUT compaction
if json['actor'] == 'https://malicious.actor/'; && json['to'].include?('https://target.example/@victim';)
# Allow action!
else
# Ignore
end
end
If the attacker sets up a custom @context that remaps the meaning of keys like actor or to, access control checks can fail:
The activity is signed using the attacker's private key (as required for Mastodon).
4. The crafted activity is POSTed to the vulnerable Mastodon instance's inbox endpoint (/inbox).
5. Mastodon fails to compact, reads the keys naively, and might perform actions *as if it came from* the attacked account (i.e., *spoofing*).
Example Attack JSON
Below is a simplified payload that could trick a vulnerable Mastodon instance. For illustration only:
{
"@context": [
"https://www.w3.org/ns/activitystreams";,
{
"actor": "@context_remap"
}
],
"type": "Follow",
"actor": "https://attacker.actor/";,
"object": "https://target.instance/@victim";
// ... plus valid signature for attacker.actor
}
With clever use of @context, the attacker could remap actor to mean something else, maybe pointing it at a victim user or making Mastodon believe the request is authorized.
Ensure authorization checks are based on the real, intended data
The patched Mastodon versions do this compaction step early in the process.
Impact & Exploitation
Who is affected?
Damaging reputation and trust in your instance
References & Discussion:
- Mastodon Security Advisory
- Activity Streams 2. - W3C
How to Patch
Simple:
Mastodon Docker Installations
git fetch --tags
git checkout v3.4.6
docker-compose build && docker-compose up -d
Manual Installations:
Follow Mastodon’s official upgrade guide.
Conclusion
CVE-2022-24307 illustrates the dangers of skipping key data normalization steps in federated protocols like ActivityPub. Without compacting JSON-LD before verifying signatures and checking access, Mastodon opened itself up to creative, damaging exploits with real-world consequences.
If you run a Mastodon instance:
For a full community discussion and more technical insight, check
- GitHub Mastodon Issue #17445
- Mastodon Security Mailing List
*Stay secure, and always sanitize and verify your linked data!*
Timeline
Published on: 02/03/2022 20:15:00 UTC
Last modified on: 02/09/2022 15:02:00 UTC