CVE-2025-62174
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | to 4.2.27 (exc) |
| joinmastodon | mastodon | From 4.3.0 (inc) to 4.3.14 (exc) |
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Mastodon versions before 4.4.6, 4.3.14, and 4.2.27, where when an administrator resets a user's password via the command-line interface, the active sessions and access tokens for that user are not revoked. This means that an attacker who has access to a previously compromised session or token can continue to use the account even after the password has been reset.
How can this vulnerability impact me? :
The vulnerability allows an attacker with access to a previously compromised session or access token to maintain unauthorized access to a user's account even after the password has been reset by an administrator. This can lead to continued unauthorized use of the account, potentially compromising user data or actions performed under that account.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastodon to version 4.4.6, 4.3.14, or 4.2.27 or later, where the issue has been patched. There are no known workarounds.