SNS
mastodon/mastodon
Your self-hosted, globally interconnected microblogging community
#mastodon#docker#microblog#activity-stream#webfinger#social-network#activitypub#fediverse#social-web
スコア
50
/ 100
Star
49,952
Fork
7,438
Open Issue
4,242
サイズ
372MB
言語
Ruby
最終push
0 日前
Docker
🐳 両方 ★
採点内訳
過去CVE 18件 (やや多い)
✓直近 push: 0 日前
✓得意言語 (Ruby)
—オープンissue 4242件
✓大規模 (372MB)
—Docker 対応 (Dockerfile + compose)
✓10k–50k: 中級 (★49,952)
—※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。
過去の SecurityAdvisory (20 件)
- Insufficient verification of email addresses
- Denial of service for quote authorization
- GET-Based Open Redirect via '/web/%2F<domain>'
- Allowing unconfirmed FASP to make subscriptions
- SSRF via unvalidated FASP Provider base_url
- Signature-dependent ActivityPub collection responses cached under signature-independent keys
- Denial of Service from a single post (client/server)
- Insufficient access control to push notification settings
- Remote suspension bypass
- Local users can enumerate and access severed relationships of every other local user
- SSRF Protection bypass
- Inconsistent error handling allows anonymously checking existence of known private posts
- Quotes control bypass
- Disabled and suspended user accounts stay connected to the streaming API and can connect afterwards
- Changing a user's password via CLI does not revoke sessions & access tokens
- Streaming server allows OAuth clients without the `read` scope to subscribe to public channels
- Mastodon confirmation e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails
- Lack of sanitization of user-facing URLs for remote objects can lead to XSS in misconfigured servers
- Missing rate-limit on sign-up email verification
- Domain blocks & rationales ignore user approval when visibility set as "users"