NIXPKGS-2026-0099

GitHub issue published on 5 Feb 2026

Permalink CVE-2026-25540

updated 6 days, 23 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 week ago
@LeSuisse removed
11 packages
- mastodon-bot
- bitlbee-mastodon
- mastodon-archive
- nodePackages.mastodon-bot
- python312Packages.mastodon-py
- python313Packages.mastodon-py
- python314Packages.mastodon-py
- nodePackages_latest.mastodon-bot
- home-assistant-component-tests.mastodon
- tests.home-assistant-component-tests.mastodon
- wordpressPackages.plugins.simple-mastodon-verification
6 days, 23 hours ago
@LeSuisse removed
9 maintainers
- @ju1m
- @erictapen
- @ghuntley
- @dotlambda
- @fabaff
- @jpotier
- @mweinelt
- @Izorkin
- @happy-river
6 days, 23 hours ago
@LeSuisse accepted 6 days, 23 hours ago
@LeSuisse published on GitHub 6 days, 23 hours ago

Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.

Affected products

mastodon

==< 4.5.6
==< 4.3.19
==< 4.4.13

Matching in nixpkgs

pkgs.mastodon

Self-hosted, globally interconnected microblogging software based on ActivityPub

nixos-unstable 4.5.5
- nixpkgs-unstable 4.5.5
- nixos-unstable-small 4.5.5
nixos-25.11 4.5.5
- nixos-25.11-small 4.5.5
- nixpkgs-25.11-darwin 4.5.5

Ignored packages (11)

pkgs.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

pkgs.bitlbee-mastodon

Bitlbee plugin for Mastodon

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixos-25.11-small 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.mastodon-archive

Utility for backing up your Mastodon content

nixos-unstable 1.4.8
- nixpkgs-unstable 1.4.8
- nixos-unstable-small 1.4.8
nixos-25.11 1.4.8
- nixos-25.11-small 1.4.8
- nixpkgs-25.11-darwin 1.4.8

pkgs.nodePackages.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

pkgs.python312Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python313Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4
nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python314Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4

pkgs.nodePackages_latest.mastodon-bot

Bot to publish twitter, tumblr or rss posts to an mastodon account.

pkgs.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-unstable 2026.1.3
- nixpkgs-unstable 2026.1.3
- nixos-unstable-small 2026.1.3

pkgs.wordpressPackages.plugins.simple-mastodon-verification

None

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 2.0.3
- nixos-25.11-small 2.0.3
- nixpkgs-25.11-darwin 2.0.3

Package maintainers

Ignored maintainers (9)

@ju1m Julien Moutinho <julm+nixpkgs@sourcephile.fr>
@erictapen Kerstin Humm <kerstin@erictapen.name>
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
@dotlambda Robert Schütz <rschuetz17@gmail.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
@happy-river Happy River <happyriver93@runbox.com>

Fixed in https://github.com/NixOS/nixpkgs/pull/486583 (unstable) and https://github.com/NixOS/nixpkgs/pull/486671 (25.11)

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0099

Affected products

Matching in nixpkgs

pkgs.mastodon

pkgs.mastodon-bot

pkgs.bitlbee-mastodon

pkgs.mastodon-archive

pkgs.nodePackages.mastodon-bot

pkgs.python312Packages.mastodon-py

pkgs.python313Packages.mastodon-py

pkgs.python314Packages.mastodon-py

pkgs.nodePackages_latest.mastodon-bot

pkgs.home-assistant-component-tests.mastodon

pkgs.tests.home-assistant-component-tests.mastodon

pkgs.wordpressPackages.plugins.simple-mastodon-verification

Package maintainers