PT-2025-41809 · Mastodon · Mastodon
Thisismissem
·
Published
2025-10-13
·
Updated
2025-10-20
·
CVE-2025-62176
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mastodon versions prior to 4.2.27
Mastodon versions prior to 4.3.14
Mastodon versions prior to 4.4.6
Description
Mastodon is a free, open-source social network server based on ActivityPub. The streaming server incorrectly handles authentication tokens, accepting events for public timelines from clients with valid tokens that do not have the required
read:statuses scope. This allows OAuth clients lacking the necessary permissions to subscribe to public channels and receive public timeline events. The impact is limited to new public posts and requires a valid token, but may result in unintended access to public posts in limited-federation environments.Recommendations
Update Mastodon to version 4.2.27 or later.
Update Mastodon to version 4.3.14 or later.
Update Mastodon to version 4.4.6 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mastodon