CVE-2025-62176
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | to 4.2.27 (exc) |
| joinmastodon | mastodon | From 4.3.0 (inc) to 4.3.14 (exc) |
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mastodon before versions 4.4.6, 4.3.14, and 4.2.27 allows the streaming server to serve events for public timelines to clients using any valid authentication token, even if those tokens do not have the read:statuses scope. This means OAuth clients without the proper read permissions can still subscribe to public channels and receive public timeline events, potentially leading to unexpected access to public posts in limited-federation settings.
How can this vulnerability impact me? :
The impact is limited because it only affects new public posts published on the public timelines and requires an otherwise valid authentication token. However, it may lead to unexpected access to public posts by OAuth clients that should not have read permissions, which could expose information in a limited-federation environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastodon to version 4.4.6, 4.3.14, or 4.2.27 or later, as these versions contain the patch that fixes this vulnerability. No known workarounds exist.