CVE-2024-25619

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 3.5.18 Mastodon versions prior to 4.0.14 Mastodon versions prior to 4.1.14 Mastodon versions prior to 4.2.6

Description The issue is related to the incorrect handling of Access Tokens when an OAuth Application is destroyed. This could have allowed an application to continue listening to streaming after it had been destroyed, potentially posing security risks to users. The problem arises from the dependent: delete all configuration used by Doorkeeper, which prevents the after commit callback from firing. As a result, the streaming server is not informed that the Access Tokens have been destroyed. The impact is considered negligible since the affected application had to be owned by the user.

Recommendations For Mastodon versions prior to 3.5.18, upgrade to version 3.5.18 or later. For Mastodon versions prior to 4.0.14, upgrade to version 4.0.14 or later. For Mastodon versions prior to 4.1.14, upgrade to version 4.1.14 or later. For Mastodon versions prior to 4.2.6, upgrade to version 4.2.6 or later.