Information Disclosure Vulnerability in Mastodon Open-Source Social Network
CVE-2025-62176
What is CVE-2025-62176?
Mastodon, the free open-source social networking server based on ActivityPub, has a vulnerability allowing unauthorized access to public timeline events. Prior to patch versions 4.4.6, 4.3.14, and 4.2.27, the streaming server improperly accepted requests with valid OAuth authentication tokens lacking the 'read:statuses' scope. This enables clients to subscribe to public channels and receive events related to new public posts. Though the impact is somewhat contained to the public timeline within limited-federation contexts, the issue raises security concerns and requires immediate attention to upgrade the affected versions.
Affected Version(s)
mastodon >= 4.4.0-beta.1, < 4.4.6 < 4.4.0-beta.1, 4.4.6
mastodon >= 4.3.0-beta.1, < 4.3.14 < 4.3.0-beta.1, 4.3.14
mastodon < 4.2.27 < 4.2.27