CVE-2025-62175
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | to 4.2.27 (exc) |
| joinmastodon | mastodon | From 4.3.0 (inc) to 4.3.14 (exc) |
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-274 | The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. |
| CWE-273 | The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mastodon versions before 4.4.6, 4.3.14, and 4.2.27 allows disabled or suspended user accounts to remain connected to the streaming API. Even though these accounts cannot interact with other API endpoints, they can still receive real-time updates and establish new streaming connections. This behavior undermines moderation efforts because administrators expect disabled or suspended accounts to be fully disconnected from the service.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing disabled or suspended user accounts to continue receiving real-time updates and maintain streaming connections despite being restricted from other interactions. This undermines moderation controls and could allow unwanted or problematic users to bypass intended restrictions, potentially affecting the integrity and management of the social network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastodon to version 4.4.6, 4.3.14, or 4.2.27 or later, as these versions contain the patch that fixes the issue. No known workarounds exist.