CVE-2022-0432
Published: 02 February 2022
Summary
CVE-2022-0432 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-0432 is a prototype pollution vulnerability, tracked as CWE-1321, that affects the Mastodon social network software in the mastodon/mastodon GitHub repository prior to version 3.5.0. The flaw received a CVSS 3.1 score of 6.1 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely exploitable client-side issue that can alter object prototypes when untrusted data is processed.
An unauthenticated remote attacker can trigger the vulnerability by supplying specially crafted input that reaches the affected code paths, achieving limited control over object properties. Because user interaction is required and scope is changed, successful exploitation can lead to cross-site scripting or other integrity and confidentiality impacts within the victim's browser context without needing prior credentials.
Public references point to a fix merged in commit 4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09, which updates Mastodon to 3.5.0 and resolves the prototype-pollution vector. The associated huntr.dev report confirms the patch addresses the root cause in the input-handling logic.
The EPSS score for this CVE stands at 0.5712 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15573
Vulnerability details
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.