CVE-2022-46405: 
NixOS vulnerability analysis and mitigation

Mastodon through version 4.0.2 contains a denial of service vulnerability (CVE-2022-46405) that allows attackers to cause a large Sidekiq pull queue by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record. This leads to uncontrolled recursion of attacker-generated messages. The vulnerability was disclosed on December 3, 2022 (NVD).

The vulnerability exploits Mastodon's federation functionality by leveraging bot accounts to follow malicious servers using wildcard DNS records. When these bot accounts are deleted, they generate significant traffic that fills up the database and message queues. The attack is amplified when the malicious server is placed behind Cloudflare and returns 521 errors, causing messages to end up in retry queues. The vulnerability has been assigned a CVSS v3.1 score of 7.5 HIGH (NVD).

When successfully exploited, this vulnerability can cause denial of service conditions by overwhelming Mastodon instances with large Sidekiq pull queues. The attack can significantly impact server resources and potentially disrupt normal service operations through database flooding and queue saturation (NVD).

Server administrators can mitigate this vulnerability by defederating from suspicious domains, particularly those using wildcard DNS, and implementing strict controls on new account creation. Additionally, monitoring and limiting Sidekiq queue sizes can help prevent resource exhaustion (HackMD).

The vulnerability was initially reported through the Fediverse, with system administrators sharing observations and mitigation strategies. Instance administrators have responded by implementing domain blocks and sharing information about suspicious patterns to help protect the wider Mastodon network (HackMD).