CVE-2023-36461: 
NixOS vulnerability analysis and mitigation

Mastodon, a free and open-source social network server based on ActivityPub, was found to have a vulnerability (CVE-2023-36461) in its HTTP query handling. Prior to versions 3.5.9, 4.0.5, and 4.1.3, when performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations, but a malicious server could indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability was discovered by Cure53 during an audit performed at Mozilla's request (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from the way Mastodon handles timeouts on individual read operations during outgoing HTTP queries. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

This vulnerability can be exploited to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. The attack affects the availability of the service while not impacting confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Mastodon versions 3.5.9, 4.0.5, and 4.1.3. Users are advised to upgrade to these patched versions to protect against this vulnerability. The fix involves changes to the timeout handling of outbound HTTP requests (Mastodon Release).