I guess it’s even worse that I thought, because from what’s been deduced by others that reached out to me, it allows users to make impersonated posts (and probably more) of users on the same instance, as remotely observed from a vulnerable software.
From the info I have, I tested if other projects were affected, and found other projects it applies to as well.
For the projects that I found affected (by what’s assumed to be the details of GHSA-jhrq-qvrm-qr36), I haven’t found anyone yet that got any heads-up or private message from the Mastodon team before (or even after) this abrupt security release; they just shoved it out without notice, or only told a few closely-knit projects.
This specific vulnerability was even warned about by one project, years ago, that has even had mitigations since 3-4 years ago. But evidently those warnings were buried to history.
I’ll keep quiet for a days at least on the details.