mastodon

v4.5.10 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 14d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

activity-stream activitypub docker fediverse mastodon microblog

+3 more

social-network social-web webfinger

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Broad release touches When using Docker, https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6, https://github.com/mastodon/mastodon/security/advisories/GHSA-crr4-7rm4-8gpw, and https://github.com/mastodon/mastodon/security/advisories/GHSA-53m7-2wrh-q839.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fix SSRF protection bypass (GHSA-crr4-7rm4-8gpw, GHSA-xx55-4rrg-8xg6) Fix SSRF protection bypass (GHSA-crr4-7rm4-8gpw, GHSA-xx55-4rrg-8xg6) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix Linked-Data Signature bypass through JSON-LD graph restructuring features (GHSA-53m7-2wrh-q839, GHSA-chgx-jx3p-rf73) Fix Linked-Data Signature bypass through JSON-LD graph restructuring features (GHSA-53m7-2wrh-q839, GHSA-chgx-jx3p-rf73) Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Breaking	Medium	Requires assets recompilation for upgrade Requires assets recompilation for upgrade Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Dependency	Medium	Updated dependencies Updated dependencies Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Deprecation	Medium	Remove unused devise strategies Remove unused devise strategies Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix	Medium	Fix type of interactingObject, interactionTarget, and add missing QuoteAuthorization Fix type of interactingObject, interactionTarget, and add missing QuoteAuthorization Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—

Full changelog

Upgrade overview

This release contains upgrade notes that deviate from the norm:

ℹ️ Requires assets recompilation

For more information, view the complete release notes and scroll down to the upgrade instructions section.

Changelog

Security

Fix SSRF protection bypass (GHSA-crr4-7rm4-8gpw, GHSA-xx55-4rrg-8xg6)
Fix Linked-Data Signature bypass through JSON-LD graph restructuring features (GHSA-53m7-2wrh-q839, GHSA-chgx-jx3p-rf73)
Updated dependencies

Fixed

Fix type of interactingObject, interactionTarget and add missing QuoteAuthorization (#38940 by @ClearlyClaire)

Removed

Remove unused devise strategies (#38795 by @ClearlyClaire)

Upgrade notes

To get the code for v4.5.9, use git fetch && git checkout v4.5.10.

[!NOTE]
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed since v4.5.0.

Ruby: 3.2 or newer
PostgreSQL: 14 or newer
Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
LibreTranslate (optional, for translations): 1.3.3 or newer
Redis: 7.0 or newer
Node: 20.19 or newer
libvips (optional, instead of ImageMagick): 8.13 or newer
ImageMagick (optional if using libvips): 6.9.7-7 or newer

Update steps

The following instructions are for updating from 4.5.9.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.5.0 release notes.

Non-Docker

[!TIP]
The charlock_holmes gem may fail to build on some systems with recent versions of gcc.
If you run into this issue, try BUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.

Install dependencies with bundle install and yarn install --immutable
Precompile the assets: RAILS_ENV=production bundle exec rails assets:precompile
Restart all Mastodon processes.

When using Docker

Restart all Mastodon processes.

Breaking Changes

Removed unused Devise authentication strategies

Security Fixes

GHSA-crr4-7rm4-8gpw – Fix SSRF protection bypass
GHSA-xx55-4rrg-8xg6 – Fix SSRF protection bypass
GHSA-53m7-2wrh-q839 – Fix Linked‑Data Signature bypass via JSON‑LD restructuring
GHSA-chgx-jx3p-rf73 – Fix Linked‑Data Signature bypass via JSON‑LD restructuring

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mastodon

Get notified when new releases ship.

About mastodon

Your self-hosted, globally interconnected microblogging community

All releases →