Information Disclosure Vulnerability in Mastodon Open-Source Social Network
CVE-2025-62176

4.3MEDIUM

Key Information:

Vendor

Mastodon

Status
Vendor
CVE Published:
13 October 2025

What is CVE-2025-62176?

Mastodon, the free open-source social networking server based on ActivityPub, has a vulnerability allowing unauthorized access to public timeline events. Prior to patch versions 4.4.6, 4.3.14, and 4.2.27, the streaming server improperly accepted requests with valid OAuth authentication tokens lacking the 'read:statuses' scope. This enables clients to subscribe to public channels and receive events related to new public posts. Though the impact is somewhat contained to the public timeline within limited-federation contexts, the issue raises security concerns and requires immediate attention to upgrade the affected versions.

Affected Version(s)

mastodon >= 4.4.0-beta.1, < 4.4.6 < 4.4.0-beta.1, 4.4.6

mastodon >= 4.3.0-beta.1, < 4.3.14 < 4.3.0-beta.1, 4.3.14

mastodon < 4.2.27 < 4.2.27

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-62176 : Information Disclosure Vulnerability in Mastodon Open-Source Social Network