CVE-2025-67500
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mastodon | mastodon | 4.5.0-beta.1 |
| mastodon | mastodon | 4.3.14 |
| mastodon | mastodon | 4.4.0-beta.1 |
| mastodon | mastodon | 4.3.0-beta.1 |
| mastodon | mastodon | 4.4.9 |
| mastodon | mastodon | 4.5.2 |
| mastodon | mastodon | 4.2.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to confirm the existence of a private status without permission, which could be considered a minor information disclosure. While it does not expose the content or other details of the status, the ability to verify the existence of private data may have implications for privacy compliance under standards like GDPR or HIPAA, which require protection of personal and sensitive information. However, the impact is limited since no content is revealed, and the CVSS score is low. Organizations using affected versions should consider this when assessing their compliance risk and apply the available patches to mitigate it. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending HTTP requests to the Mastodon server with a non-English Accept-Language header targeting known status identifiers to observe if the server response indicates the existence of the status. For example, you can use curl commands like: curl -H "Accept-Language: fr" https://mastodon.example/api/v1/statuses/{status_id} and check if the response differs for existing versus non-existing statuses. A 404 response indicates non-existence, while other responses may confirm existence. This method leverages the error handling discrepancy described in the vulnerability. [2]
Can you explain this vulnerability to me?
This vulnerability in Mastodon involves discrepancies in error handling that allow an attacker to check whether a specific status exists by sending a request with a non-English Accept-Language header. Although the attacker cannot see the content or other properties of the status, they can confirm its existence if they know the identifier. This issue affects certain versions of Mastodon and is fixed in later versions.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can confirm the existence of specific statuses on a Mastodon server even if they are not authorized to view them. While the attacker cannot access the content or other details of the status, this information disclosure could potentially be used to infer user activity or presence of certain posts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Mastodon to one of the fixed versions: 4.2.28, 4.3.15, 4.4.10, or 4.5.3.