CVE-2025-27399

MEDIUM

Mastodon <4.1.23-4.3.4 - Info Disclosure

Title source: llm

Description

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825

Patch x_refsource_misc

https://github.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5

View Patch ZIP pw:eip

Product x_refsource_misc

https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35

Product x_refsource_misc

https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0045

EPSS Percentile 63.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-285 CWE-200

Status published

Products (1)

joinmastodon/mastodon < 4.1.23

Published Feb 27, 2025

Tracked Since Feb 18, 2026