CVE-2025-62605
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-12-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joinmastodon | mastodon | From 4.4.0 (inc) to 4.4.8 (exc) |
| joinmastodon | mastodon | 4.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2 allows an attacker to bypass quote controls by reblogging any post and then quoting their own reblog. Since Mastodon treats reblogs as statuses without special handling, the attacker can quote themselves but display a preview of the original post they were not authorized to quote, circumventing the intended quote restrictions.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could display unauthorized previews of posts by bypassing quote controls, potentially exposing content that should be restricted or controlled. This could lead to unintended information disclosure or misuse of content within the Mastodon social network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastodon to version 4.4.8 or later, or to version 4.5.0-beta.2 or later, as these versions contain patches that fix the vulnerability allowing quote control bypass.