PT-2025-41808 · Mastodon · Mastodon
Thisismissem
·
Published
2025-10-13
·
Updated
2025-10-20
·
CVE-2025-62175
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mastodon versions prior to 4.4.6
Mastodon versions prior to 4.3.14
Mastodon versions prior to 4.2.27
Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, despite being unable to interact with other API endpoints. This behavior undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service.
Recommendations
Update Mastodon to version 4.4.6 or later.
Update Mastodon to version 4.3.14 or later.
Update Mastodon to version 4.2.27 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mastodon