Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking
The maintainers of the open source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.
Mastodon is based on a federated model. The federation comprises thousands of separate servers known as "instances." Individual users create an account with one of the instances, which in turn exchange content to and from users of other instances. To date, Mastodon has more than 24,000 instances and 14.5 million users, according to the-federation.info, a site that tracks statistics related to Mastodon.
A critical bug tracked as CVE-2023-36460 was one of two vulnerabilities rated as critical that were fixed on Thursday. In all, Mastodon on Thursday patched five vulnerabilities.