CVE-2025-67500
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67500
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
mastodon mastodon 4.5.0-beta.1
mastodon mastodon 4.3.14
mastodon mastodon 4.4.0-beta.1
mastodon mastodon 4.3.0-beta.1
mastodon mastodon 4.4.9
mastodon mastodon 4.5.2
mastodon mastodon 4.2.27
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Mastodon involves discrepancies in error handling that allow an attacker to check whether a specific status exists by sending a request with a non-English Accept-Language header. Although the attacker cannot see the content or other properties of the status, they can confirm its existence if they know the identifier. This issue affects certain versions of Mastodon and is fixed in later versions.

Impact Analysis

The impact of this vulnerability is that an attacker can confirm the existence of specific statuses on a Mastodon server even if they are not authorized to view them. While the attacker cannot access the content or other details of the status, this information disclosure could potentially be used to infer user activity or presence of certain posts.

Mitigation Strategies

To mitigate this vulnerability, upgrade Mastodon to one of the fixed versions: 4.2.28, 4.3.15, 4.4.10, or 4.5.3.

Compliance Impact

This vulnerability allows an attacker to confirm the existence of a private status without permission, which could be considered a minor information disclosure. While it does not expose the content or other details of the status, the ability to verify the existence of private data may have implications for privacy compliance under standards like GDPR or HIPAA, which require protection of personal and sensitive information. However, the impact is limited since no content is revealed, and the CVSS score is low. Organizations using affected versions should consider this when assessing their compliance risk and apply the available patches to mitigate it. [2]

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the Mastodon server with a non-English Accept-Language header targeting known status identifiers to observe if the server response indicates the existence of the status. For example, you can use curl commands like: curl -H "Accept-Language: fr" https://mastodon.example/api/v1/statuses/{status_id} and check if the response differs for existing versus non-existing statuses. A 404 response indicates non-existence, while other responses may confirm existence. This method leverages the error handling discrepancy described in the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart