Cyber Resilience

CVE-2022-0432

MediumPublic PoC

Published: 02 February 2022

Published
02 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.5712 98.2th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0432 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-0432 is a prototype pollution vulnerability, tracked as CWE-1321, that affects the Mastodon social network software in the mastodon/mastodon GitHub repository prior to version 3.5.0. The flaw received a CVSS 3.1 score of 6.1 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely exploitable client-side issue that can alter object prototypes when untrusted data is processed.

An unauthenticated remote attacker can trigger the vulnerability by supplying specially crafted input that reaches the affected code paths, achieving limited control over object properties. Because user interaction is required and scope is changed, successful exploitation can lead to cross-site scripting or other integrity and confidentiality impacts within the victim's browser context without needing prior credentials.

Public references point to a fix merged in commit 4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09, which updates Mastodon to 3.5.0 and resolves the prototype-pollution vector. The associated huntr.dev report confirms the patch addresses the root cause in the input-handling logic.

The EPSS score for this CVE stands at 0.5712 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

joinmastodon
mastodon
≤ 3.5.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References