CVE-2023-49952: 
NixOS vulnerability analysis and mitigation

Mastodon versions 4.1.x before 4.1.17 and 4.2.x before 4.2.9 contain a vulnerability that allows attackers to bypass rate limiting functionality through crafted HTTP request headers. The vulnerability was identified and tracked as CVE-2023-49952, with a CVSS v3.1 base score of 7.5 (High) (NVD).

The vulnerability exists in the rate limiting implementation where an attacker can bypass the protection by setting the X-Forwarded-For or Client-Ip HTTP header to '127.0.0.1'. This is possible because Rails' RemoteIp middleware, as used in Mastodon, will always trust the last X-Forwarded-For or Client-Ip header even if it comes from an untrusted source. Additionally, Mastodon's rate-limiting implementation through rack-attack explicitly exempts 127.0.0.1, allowing attackers to circumvent these protections if they can spoof their IP address (GitHub Advisory).

The bypass of rate limiting measures renders all protective measures based on it ineffective, including brute force detection. Attackers could potentially conduct automated attempts to guess valid usernames and corresponding passwords. Additionally, users could manipulate their apparent IP address in log entries. However, the impact is limited by the requirement that attackers must be able to provide their own X-Forwarded-For or Client-Ip header without any being appended by a remote-proxy, which requires the Mastodon server to be misconfigured (GitHub Advisory).

The vulnerability has been patched in Mastodon versions 4.1.17 and 4.2.9. Users should upgrade to these or newer versions to protect against this vulnerability (GitHub Advisory).