This repository contains PoCs for Mastodon's CVE-2024-25623 and Misskey's CVE-2024-25636, a then-common vulnerability among ActivityPub implementations (which is now tracked by the ActivityPub specification at w3c/activitypub#432).
The PoCs' instructions assume that you know the outline of the vulnerability. See the linked reports of the vulnerabilities for the outline. Mastodon's vulnerability is somewhat limited in its exploitability, so I recommend reading Misskey's one.