Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-27468

created 1 month, 3 weeks ago

Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not check properly whether the FASP was actually approved. This only affects Mastodon servers that have opted in to testing the experimental FASP feature by setting the environment variable `EXPERIMENTAL_FEATURES` to a value including `fasp`. An attacker can make subscriptions and request content backfill without approval by an administrator. Done once, this leads to minor information leak of URIs that are publicly available anyway. But done several times this is a serious vector for DOS, putting pressure on the sidekiq worker responsible for the `fasp` queue. The fix is included in the 4.4.14 and 4.5.7 releases. Admins that are actively testing the experimental "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg x_refsource_CONFIRM
https://github.com/mastodon/mastodon/commit/6ba6285a73c3a8b281123814d45f534e3bcebb96 x_refsource_MISC

Affected products

mastodon

==>= 4.4.0, < 4.4.14
==>= 4.5.0, < 4.5.7

Matching in nixpkgs

pkgs.mastodon

Self-hosted, globally interconnected microblogging software based on ActivityPub

nixos-unstable 4.5.6
- nixpkgs-unstable 4.5.6
- nixos-unstable-small 4.5.6
nixos-25.11 4.5.6
- nixos-25.11-small 4.5.6
- nixpkgs-25.11-darwin 4.5.6

pkgs.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

pkgs.bitlbee-mastodon

Bitlbee plugin for Mastodon

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixos-25.11-small 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.mastodon-archive

Utility for backing up your Mastodon content

nixos-unstable 1.4.8
- nixpkgs-unstable 1.4.8
- nixos-unstable-small 1.4.8
nixos-25.11 1.4.8
- nixos-25.11-small 1.4.8
- nixpkgs-25.11-darwin 1.4.8

pkgs.python312Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python313Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4
nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python314Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4

pkgs.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

pkgs.wordpressPackages.plugins.simple-mastodon-verification

None

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 2.0.3
- nixos-25.11-small 2.0.3
- nixpkgs-25.11-darwin 2.0.3

Package maintainers

@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@happy-river Happy River <happyriver93@runbox.com>
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
@erictapen Kerstin Humm <kerstin@erictapen.name>
@ju1m Julien Moutinho <julm@sourcephile.fr>