CVE-2024-25623: 
NixOS vulnerability analysis and mitigation

Mastodon, a free open-source social network server based on ActivityPub, disclosed a high-severity vulnerability (CVE-2024-25623) affecting versions prior to 4.2.7, 4.1.15, 4.0.15, and 3.5.19. The vulnerability was discovered in February 2024 and involves insufficient Content-Type header checking when fetching remote statuses (GitHub Advisory).

The vulnerability stems from Mastodon's failure to verify the Content-Type header value of Activity Streams media type when fetching remote statuses. The FetchRemoteStatusService did not validate that responses from remote servers had the correct Content-Type header value (either application/ld+json with a profile value of https://www.w3.org/ns/activitystreams, or application/activity+json). The vulnerability received a CVSS v3.1 score of 8.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N (NVD).

The vulnerability enables threat actors to impersonate accounts on remote servers by uploading crafted Activity Streams documents. This could lead to unauthorized access and potential misrepresentation of legitimate users on the platform (GitHub Advisory).

The vulnerability has been patched in Mastodon versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19. Users are advised to upgrade to these or newer versions to mitigate the risk (NVD).