Mastodon

mastodon.social
Awesome Privacy βž” Social βž” Social Networks βž” Mastodon
Mastodon

An open-source, distributed social media platform functioning similarly to Twitter, without algorithmic timeline manipulations. It operates across independent servers.

Avoid

  • facebook
  • twitter
  • instagram
  • linkedin
  • snapchat

Also Consider

Open Source

Mastodon Privacy Policy

Privacy Policy Summary

  • The user is informed about security practices
  • The service can delete your account without prior notice
  • This service is only available to users of a certain age
  • The service provides two factor authentification for your account
  • User logs are deleted after a finite period of time
  • You have the right to leave this service at any time
  • There is a date of the last update of the agreements
  • Your personal data is not sold
  • The service allows you to use pseudonyms
  • Private messages can be read
  • This service collects your IP address, which can be used to view your approximate location
  • The posting of untagged pornographic content is prohibited
  • This service offers a symbolic but nonbinding statement about a matter of opinion, ethics, society, or politics
  • You shall not interfere with another person's enjoyment of the service
  • You agree not to submit libelous, harassing or threatening content
  • Terms may be changed any time at their discretion, without notice to you
  • Details are provided about what kind of information they collect
  • This service gives your personal data to third parties involved in its operation
  • The publishing of personally identifiable information without the owner’s consent is not allowed
  • The service is open-source
  • You are prohibited from sending chain letters, junk mail, spam or any unsolicited messages
  • This service reserves the right to disclose your personal information without notifying you

Score

C

Documents

Domains Covered by Policy

  • mastodon.social
  • joinmastodon.org
  • mastodon.online
  • mastodon.cloud

About the Data

This data is kindly provided by tosdr.org. Read full report at: #639

Mastodon Source Code

Author

mastodon

Description

Your self-hosted, globally interconnected microblogging community

#activity-stream#activitypub#docker#fediverse#mastodon#microblog#social-network#social-web#webfinger

Homepage

https://joinmastodon.org

License

AGPL-3.0

Created

22 Feb 16

Last Updated

16 Jun 26

Latest version

v4.6.0-rc.2

Primary Language

Ruby

Size

390,139 KB

Stars

50,037

Forks

7,469

Watchers

50,037

Language Usage

Language Usage

Star History

Star History

Top Contributors

Recent Commits

  • diondiondion (16 Jun 26)

    Add category selection to collection report modal (#39456)

  • Claire (16 Jun 26)

    Fixes being unable to edit an attachment twice without submitting (#39453)

  • Claire (16 Jun 26)

    Fix styling of follow requests (#39452)

  • renovate[bot] (16 Jun 26)

    Update dependency @vitest/browser to v4.1.8 [SECURITY] (#39451) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Renaud Chaput <[email protected]>

  • renovate[bot] (16 Jun 26)

    Update crowdin/github-action digest to 52aa776 (#39424) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (16 Jun 26)

    Update github/codeql-action digest to 8aad20d (#39425) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (16 Jun 26)

    Update dependency postcss-preset-env to v11.3.1 (#39444) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • Matt Jankowski (16 Jun 26)

    Remove deprecated `bin/update` script (#39443)

  • renovate[bot] (16 Jun 26)

    Update dependency rubyzip to v3.4.0 (#39423) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (16 Jun 26)

    Update dependency shoulda-matchers to v8 (#39405) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • github-actions[bot] (16 Jun 26)

    New Crowdin Translations (automated) (#39449) Co-authored-by: GitHub Actions <[email protected]>

  • diondiondion (15 Jun 26)

    [Accessibility] Return alt text for default server thumbnail (#39439)

  • renovate[bot] (15 Jun 26)

    Update dependency react-easy-crop to v6 (#39371) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • Claire (15 Jun 26)

    Bump version to v4.7.0-alpha.1 (#39436)

  • Dmytro Oliinyk (15 Jun 26)

    Fix service worker failing to load due to 404 on chunk dependencies (#39433)

  • Coro (15 Jun 26)

    Fix bio text overflow on account profile page (#39418)

  • Nicholas La Roux (15 Jun 26)

    Add `devcontainer-lock.json` with Renovate update support (#39046)

  • diondiondion (15 Jun 26)

    Fix hovercard not showing in compose column (#39430)

  • Hanage999 (15 Jun 26)

    Fix categorised custom emojis missing from the emoji picker (#39421) Signed-off-by: Hanage999 <[email protected]>

  • diondiondion (15 Jun 26)

    Change `Page Up`/`Page Down` hotkeys to require `Alt` modifier key (#39427)

  • David Roetzel (15 Jun 26)

    Destroy dependent notifications of a collection (#39429)

  • renovate[bot] (15 Jun 26)

    Update dependency hiredis-client to v0.30.0 (#39392) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (15 Jun 26)

    Update dependency sass to v1.101.0 (#39411) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (15 Jun 26)

    Update dependency brakeman to v8.0.5 (#39414) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • renovate[bot] (15 Jun 26)

    Update unhead monorepo to v3.1.4 (#39417) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

  • Claire (15 Jun 26)

    Update dependency `net-imap` (#39426)

  • Claire (15 Jun 26)

    Remove cookie rotator (#38918) Co-authored-by: Matt Jankowski <[email protected]>

  • github-actions[bot] (15 Jun 26)

    New Crowdin Translations (automated) (#39415) Co-authored-by: GitHub Actions <[email protected]>

  • diondiondion (13 Jun 26)

    Prevent crash trying to access nullish location state (#39408)

  • Echo (12 Jun 26)

    Emoji: Add back to state (#39402)

Mastodon Security

Security Advisories (50)

  • high Patched CVSS 7.5

    CVE-2026-50129 DoS via unhandled NoMethodError in MATH_TRANSFORMER

  • medium Patched CVSS 5.3

    CVE-2026-50128 Spoofing of attribution domains

  • high Unpatched CVSS 7.5

    CVE-2026-47777 Consent-check bypass in remote Collections

  • high Patched CVSS 8.6

    CVE-2026-47389 SSRF protection bypass on older Ruby versions (incomplete remediation for GHSA-xfrj-c749-jxxq)

  • high Patched

    CVE-2026-46348 SSRF Bypass via IPv6 Unspecified Address (::)

  • medium Patched CVSS 5.3

    CVE-2026-46349 LD-Signature Bypass via JSON-LD Named-Graph Restructuring

  • high Patched

    CVE-2026-41259 Insufficient verification of email addresses

  • medium Patched CVSS 4.8

    CVE-2026-33869 Denial of service for quote authorization

  • medium Patched CVSS 4.3

    CVE-2026-33868 GET-Based Open Redirect via '/web/%2F<domain>'

  • high Unpatched

    CVE-2026-27468 Allowing unconfirmed FASP to make subscriptions

  • low Unpatched

    GHSA-46w6-g98f-wxqm SSRF via unvalidated FASP Provider base_url

  • medium Patched CVSS 6.5

    CVE-2026-25540 Signature-dependent ActivityPub collection responses cached under signature-independent keys

  • medium Patched CVSS 5.3

    CVE-2026-23961 Remote suspension bypass

  • medium Patched CVSS 6.5

    CVE-2026-23964 Insufficient access control to push notification settings

  • high Patched CVSS 7.5

    CVE-2026-23962 Denial of Service from a single post (client/server)

  • high Patched

    CVE-2026-22245 SSRF Protection bypass

  • medium Patched CVSS 6.5

    CVE-2026-22246 Local users can enumerate and access severed relationships of every other local user

  • low Patched CVSS 3.7

    CVE-2025-67500 Inconsistent error handling allows anonymously checking existence of known private posts

  • medium Patched CVSS 4.3

    CVE-2025-62605 Quotes control bypass

  • medium Patched CVSS 4.3

    CVE-2025-62176 Streaming server allows OAuth clients without the `read` scope to subscribe to public channels

  • low Patched CVSS 3.5

    CVE-2025-62174 Changing a user's password via CLI does not revoke sessions & access tokens

  • medium Patched CVSS 4.3

    CVE-2025-62175 Disabled and suspended user accounts stay connected to the streaming API and can connect afterwards

  • medium Unpatched CVSS 5.3

    CVE-2025-54879 Mastodon confirmation e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails

  • low Patched

    GHSA-x2rc-v5wx-g3m5 Lack of sanitization of user-facing URLs for remote objects can lead to XSS in misconfigured servers

  • medium Unpatched CVSS 5.3

    CVE-2025-27157 Missing rate-limit on sign-up email verification

  • medium Unpatched CVSS 5.3

    CVE-2025-27399 Domain blocks & rationales ignore user approval when visibility set as "users"

  • low Patched

    GHSA-mq2m-hr29-8gqf OEmbed embeds allow <embed> tag (blocked by CSP)

  • medium Patched CVSS 4.3

    CVE-2026-23963 Missing length limits on list names, filter names, and filter keywords

  • medium Unpatched CVSS 5.3

    GHSA-5wxh-3p65-r4g6 Partial Denial of Service due to insufficient validation of remote actors

  • medium Unpatched CVSS 5.3

    GHSA-3m9q-ww7w-qc5j Subdomains allow spoofing of accounts in search results

  • high Unpatched CVSS 7.5

    GHSA-jpxp-r43f-rhvx Potential Polynomial regular expression used on uncontrolled data

  • medium Unpatched CVSS 5.3

    GHSA-58x8-3qxw-6hm7 Insufficient permission checking on multiple API endpoints

  • high Unpatched CVSS 8.2

    CVE-2024-37903 Improper authorship check on audience extension for existing posts

  • low Unpatched CVSS 2.6

    GHSA-vp5r-5pgw-jwqx Streaming continues to send events for a user after access token is revoked

  • low Unpatched

    GHSA-5fq7-3p3j-9vrf Private mention filtering can be bypassed

  • medium Patched CVSS 5.9

    GHSA-q3rg-xx5v-4mxh Missing rate-limit to password change endpoint

  • medium Patched CVSS 6.5

    CVE-2026-48028 Removal of integrity-protected JSON entries from signed activities

  • medium Patched CVSS 4.8

    CVE-2023-49952 Bypassing rate limiting with X-Forwarded-For header

  • high Patched CVSS 8.5

    CVE-2024-25623 Lack of media type verification of Activity Streams objects allows impersonation of remote accounts

  • critical Unpatched CVSS 9.4

    CVE-2024-23832 Remote user impersonation and takeover

  • low Unpatched CVSS 3.1

    CVE-2024-25619 Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed

  • medium Unpatched

    CVE-2024-25618 External OpenID Connect Account Takeover by E-Mail Change

  • high Unpatched CVSS 8.3

    CVE-2023-42452 Stored XSS through the translation feature

  • medium Patched CVSS 5.4

    CVE-2023-42450 Server-side request forgery

  • high Unpatched CVSS 7.7

    CVE-2023-42451 Invalid domain name normalization

  • medium Unpatched CVSS 5.4

    CVE-2023-36462 Verified profile links can be formatted in a misleading way

  • high Unpatched CVSS 7.5

    CVE-2023-36461 Denial of Service through slow HTTP responses

  • critical Unpatched CVSS 9.9

    CVE-2023-36460 Arbitrary file creation through media attachments

  • critical Unpatched CVSS 9.3

    CVE-2023-36459 XSS through oEmbed preview cards

  • high Unpatched CVSS 7.7

    CVE-2023-28853 Blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database

Mastodon Website

Website

Mastodon

The original server of Mastodon, operated by Mastodon GmbH for the common good.

Redirects

Does not redirect

Security Checks

All 65 security checks passed

Server Details

  • IP Address 151.101.1.55
  • Location San Francisco, California, United States of America, NA
  • ISP Fastly Inc.
  • ASN AS54113

Associated Countries

  • US US

Safety Score

Website marked as safe

100%

Blacklist Check

mastodon.social was found on 0 blacklists

  • AntiSocial Blacklist
  • Artists Against 419
  • Badbitcoin
  • Bambenek Consulting
  • CERT Polska
  • CoinBlockerLists
  • CRDF
  • CryptoScamDB
  • EtherAddressLookup
  • EtherScamDB
  • Fake Website Buster
  • MetaMask EthPhishing
  • NABP Not Recommended Sites
  • OpenPhish
  • PetScams
  • PhishFeed
  • PhishFort
  • Phishing.Database
  • PhishStats
  • PhishTank
  • Phishunt
  • RPiList Not Serious
  • Scam.Directory
  • SecureReload Phishing List
  • Spam404
  • StopGunScams
  • Suspicious Hosting IP
  • ThreatFox
  • ThreatLog
  • TweetFeed
  • URLhaus
  • ViriBack C2 Tracker

Website Preview

Website preview
View full report at web-check.xyz

Mastodon Docker

Container Info

mastodon

Mastodon is a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones..

#Social

Run Command

docker run -d \

Compose File

version: 3.8

Mastodon Reviews

More Social Networks

View More...

About the Data: Mastodon

API

You can access Mastodon's data programmatically via our API. Simply make a GET request to: 

https://api.awesome-privacy.xyz/v1/services/mastodon

The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.

Share Mastodon

Help your friends compare Social Networks, and pick privacy-respecting software and services.
Share Mastodon and Awesome Privacy with your network!

← Previous

Discourse
View Social Networks (4)
Next β†’

nostr