(This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request)

When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations, but a malicious server can indefinitely extend the duration of the response through slowloris-type attacks.

Impact

This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive.