Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-601 | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Type: CWE
Description: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N