Skip to content
Release history
mastodon releases
Your self-hosted, globally interconnected microblogging community
Upgrade now
v4.4.18
Security relevant
·
Auth
RCE / SSRF
Security fixes + media description handling
Upgrade now
v4.5.11
Security relevant
·
Auth
RCE / SSRF
Security fixes + media description bug
Upgrade now
v4.5.10
Breaking risk
·
RCE / SSRF
Breaking upgrade
SSRF fix + strategy removal
v4.3.22
Security relevant
·
Security fixes
- Insufficient verification of email addresses (GHSA-5r37-qpwq-2jhh)
Notable features
- Add trademark warning to mastodon:setup task
v4.4.16
Security relevant
·
Security fixes
- Insufficient verification of email addresses (GHSA-5r37-qpwq-2jhh)
Notable features
- Add trademark warning to mastodon:setup task
- Fix quote definition in JSON-LD context
v4.5.9
Security relevant
·
Security fixes
- Insufficient verification of email addresses (GHSA-5r37-qpwq-2jhh)
Notable features
- Add trademark warning to mastodon:setup task
- Fix quote definition in JSON-LD context
- Fix quote interactions with blocked users
v4.3.21
Security relevant
·
Security fixes
- GHSA-q4g8-82c5-9h33: Insufficient checks on quote authorizations
- GHSA-xqw8-4j56-5hj6: Open redirect in legacy path handler
Notable features
- Media description limit increased to 10000 characters for remote attachments
- Added search for already-known private GtS posts
v4.4.15
Security relevant
·
Security fixes
- GHSA-q4g8-82c5-9h33: Fixed insufficient checks on quote authorizations
- GHSA-xqw8-4j56-5hj6: Fixed open redirect in legacy path handler
Notable features
- Media description limit increased to 10000 characters for remote attachments
- Added support for searching private GtS posts
v4.5.8
Security relevant
·
Security fixes
- GHSA-q4g8-82c5-9h33 (quote authorization checks)
- GHSA-xqw8-4j56-5hj6 (open redirect in legacy path handler)
Notable features
- Search capability for private GtS posts
- Extended media description limit to 10,000 characters
- HTTP signature header improvements
v4.3.20
Bug fix
·
Notable features
- Added --suspended-only option to emoji purge command
v4.4.14
Security relevant
·
Security fixes
- GHSA-qgmm-vr4c-ggjg: Reject unconfirmed FASPs
- GHSA-46w6-g98f-wxqm: Re-use custom socket class for FASP requests
Notable features
- Added --suspended-only option to emoji purge command
- Fixed custom emoji purging on domain suspension
v4.5.7
Security relevant
·
Security fixes
- GHSA-qgmm-vr4c-ggjg: Reject unconfirmed FASPs
- GHSA-46w6-g98f-wxqm: Re-use custom socket class for FASP requests
Notable features
- Added --suspended-only option to emoji purge command
- Fixed custom emoji purging on domain suspension
v4.3.19
Security relevant
·
Security fixes
- GHSA-ccpr-m53r-mfwr - ActivityPub collection caching not checking blocked accounts
v4.4.13
Security relevant
·
Security fixes
- GHSA-ccpr-m53r-mfwr (ActivityPub collection caching for blocked accounts)
v4.5.6
Security relevant
·
Security fixes
- ActivityPub collection caching not checking blocked accounts (GHSA-ccpr-m53r-mfwr)
v4.3.18
Security relevant
·
Security fixes
- GHSA-gg8q-rcg7-p79g - Missing limits on various federated properties
- GHSA-5h2f-wg8j-xqwp - Remote user suspension bypass
- GHSA-6x3w-9g92-gvf3 - Missing length limits on user-provided fields
v4.4.12
Security relevant
·
Security fixes
- GHSA-gg8q-rcg7-p79g - Missing limits on various federated properties
- GHSA-5h2f-wg8j-xqwp - Remote user suspension bypass
- GHSA-6x3w-9g92-gvf3 - Missing length limits on user-provided fields
v4.5.5
Security relevant
·
Security fixes
- GHSA-gg8q-rcg7-p79g - Missing limits on various federated properties
- GHSA-5h2f-wg8j-xqwp - Remote user suspension bypass
- GHSA-6x3w-9g92-gvf3 - Missing length limits on user-provided fields
v4.2.29
Security relevant
·
Security fixes
- GHSA-xfrj-c749-jxxq - SSRF protection bypass
v4.3.17
Security relevant
·
Security fixes
- SSRF protection bypass (GHSA-xfrj-c749-jxxq)
- Missing ownership check in severed relationships controller (GHSA-ww85-x9cp-5v24)
v4.4.11
Security relevant
·
Security fixes
- SSRF protection bypass (GHSA-xfrj-c749-jxxq)
- Missing ownership check in severed relationships controller (GHSA-ww85-x9cp-5v24)
v4.5.4
Security relevant
·
Security fixes
- SSRF protection bypass (GHSA-xfrj-c749-jxxq)
- Missing ownership check in severed relationships controller (GHSA-ww85-x9cp-5v24)
Search tools, categories, lists, and users
Use ↑↓ to navigate, Enter to open, Esc to close
No results for ""
⌘K to open
↑↓ navigate
⏎ open