CVE-2025-62175 | THREATINT

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

PUBLISHED Reserved 2025-10-07 | Published 2025-10-13 | Updated 2025-10-14 | Assigner GitHub_M

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-273: Improper Check for Dropped Privileges

CWE-274: Improper Handling of Insufficient Privileges

Product status

>= 4.4.0-beta.1, < 4.4.6

affected

>= 4.3.0-beta.1, < 4.3.14

affected

< 4.2.27

affected

References

github.com/...stodon/security/advisories/GHSA-r2fh-jr9c-9pxh

github.com/...ommit/2971ac9863b91372e68ac152caf6f4dbff511d17

cve.org (CVE-2025-62175)

nvd.nist.gov (CVE-2025-62175)

Download JSON