CVE-2023-36461

Name: CVE-2023-36461
Creator: NVD / NIST
Published: 2023-07-06T19:15:10.88+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.14%

Last modified Jun 17, 2026

CVE-2023-36461 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. EPSS estimates a 1.14% chance of exploitation in the next 30 days.

Description

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.14%

62.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-770

Affected Software

Vendor	Product	Versions
Joinmastodon	Mastodon	< 3.5.9
Joinmastodon	Mastodon	>= 4.0.0, < 4.0.5
Joinmastodon	Mastodon	>= 4.1.0, < 4.1.3

References

http://www.openwall.com/lists/oss-security/2023/07/06/7Mailing List
https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6Patch, Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v3.5.9Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.0.5Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.1.3Third Party Advisory
https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwcThird Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/06/7Mailing List
https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6Patch, Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v3.5.9Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.0.5Third Party Advisory
https://github.com/mastodon/mastodon/releases/tag/v4.1.3Third Party Advisory
https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwcThird Party Advisory

Timeline

Published: Jul 6, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-36461?

How severe is CVE-2023-36461?

CVE-2023-36461 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.14% probability of exploitation in the next 30 days.

How do I fix CVE-2023-36461?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-36461?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST