CVE-2025-62174

CVSS v3.1

3.5

Low

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.2.27 Mastodon versions prior to 4.3.14 Mastodon versions prior to 4.4.6

Description Mastodon is a free, open-source social network server based on ActivityPub. When an administrator resets a user account’s password using the command-line interface with bin/tootctl accounts modify --reset-password, active sessions and access tokens for that account are not revoked. This allows an attacker who previously compromised a session or token to continue using the account even after the password has been reset. The command used for password reset is bin/tootctl accounts modify --reset-password.

Recommendations Update to Mastodon version 4.2.27 or later. Update to Mastodon version 4.3.14 or later. Update to Mastodon version 4.4.6 or later.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

BIT-MASTODON-2025-62174

CVE-2025-62174

GHSA-F3Q3-RMF7-9655

Affected Products

Mastodon

CVE-2025-62174

Weakness Enumeration

Related Identifiers

Affected Products

References · 9