This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+3 more
Affected surfaces
ReleasePort's take
Moderate signalMastodon v4.5.11 patches two critical security issues: an attribution domain spoofing vulnerability and a Denial‑of‑Service caused by uncaught exceptions in message sanitization.
Why it matters: Both fixes address high‑severity (90 and 85) vulnerabilities affecting API request handling and the message processing pipeline; operators should upgrade immediately to prevent exploitation.
Summary
AI summaryUpdates When using Docker, https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p, and https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes attribution domain spoofing vulnerability. Fixes attribution domain spoofing vulnerability. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Security | High |
Fixes uncaught exception in message sanitization causing Denial of Service. Fixes uncaught exception in message sanitization causing Denial of Service. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Fixes rejection of remote statuses with large media descriptions. Fixes rejection of remote statuses with large media descriptions. Source: llm_adapter@2026-06-03 Confidence: high |
— |
Full changelog
Changelog
Security
- Fix allowed attribution domains spoofing (GHSA-rwcw-vq68-g34p)
- Fix uncaught exception in message sanitization causing Denial of Service (GHSA-qrgq-9fx2-vf2r)
- Update dependencies
Fixed
- Fix remote statuses with large media descriptions being rejected (#39135 by @ClearlyClaire)
Upgrade notes
To get the code for v4.5.11, use git fetch && git checkout v4.5.11.
[!NOTE]
As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look:docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump
Dependencies
External dependencies have not changed since v4.5.0.
- Ruby: 3.2 or newer
- PostgreSQL: 14 or newer
- Elasticsearch (recommended, for full-text search): 7.x (OpenSearch should also work)
- LibreTranslate (optional, for translations): 1.3.3 or newer
- Redis: 7.0 or newer
- Node: 20.19 or newer
- libvips (optional, instead of ImageMagick): 8.13 or newer
- ImageMagick (optional if using libvips): 6.9.7-7 or newer
Update steps
The following instructions are for updating from 4.5.10.
If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. In particular, it is very important to read the 4.5.0 release notes.
Non-Docker
[!TIP]
Thecharlock_holmesgem may fail to build on some systems with recent versions of gcc.
If you run into this issue, tryBUNDLE_BUILD__CHARLOCK_HOLMES="--with-cxxflags=-std=c++17" bundle install.
- Install dependencies with
bundle install - Restart all Mastodon processes.
When using Docker
- Restart all Mastodon processes.
Security Fixes
- GHSA-rwcw-vq68-g34p — Fix allowed attribution domains spoofing
- GHSA-qrgq-9fx2-vf2r — Fix uncaught exception in message sanitization causing Denial of Service
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]