Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-27477

created 1 month, 3 weeks ago

Mastodon has SSRF via unvalidated FASP Provider base_url

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to the Mastodon server making requests to that address. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can force the Mastodon server to make http(s) requests to internal systems. While they cannot control the full URL that is being requested (only the prefix) and cannot see the result of those requests, vulnerabilities or other undesired behavior could be triggered in those systems. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm x_refsource_CONFIRM
https://github.com/mastodon/mastodon/commit/7b85d2182361e68d51d9a02f94fb1070b5f503b1 x_refsource_MISC

Affected products

mastodon

==>= 4.4.0, < 4.4.14
==>= 4.5.0, < 4.5.7

Matching in nixpkgs

pkgs.mastodon

Self-hosted, globally interconnected microblogging software based on ActivityPub

nixos-unstable 4.5.6
- nixpkgs-unstable 4.5.6
- nixos-unstable-small 4.5.6
nixos-25.11 4.5.6
- nixos-25.11-small 4.5.6
- nixpkgs-25.11-darwin 4.5.6

pkgs.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

pkgs.bitlbee-mastodon

Bitlbee plugin for Mastodon

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixos-25.11-small 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.mastodon-archive

Utility for backing up your Mastodon content

nixos-unstable 1.4.8
- nixpkgs-unstable 1.4.8
- nixos-unstable-small 1.4.8
nixos-25.11 1.4.8
- nixos-25.11-small 1.4.8
- nixpkgs-25.11-darwin 1.4.8

pkgs.python312Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python313Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4
nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python314Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4

pkgs.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

pkgs.wordpressPackages.plugins.simple-mastodon-verification

None

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 2.0.3
- nixos-25.11-small 2.0.3
- nixpkgs-25.11-darwin 2.0.3

Package maintainers

@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@happy-river Happy River <happyriver93@runbox.com>
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
@erictapen Kerstin Humm <kerstin@erictapen.name>
@ju1m Julien Moutinho <julm@sourcephile.fr>