CVE-2025-67500

LOW

Mastodon <4.2.27, <4.3.0-beta.1-4.3.14, <4.4.0-beta.1-4.4.9, <4.5.0...

Title source: llm

Description

Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.

References (2)

[Vendor Advisory] https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8

[Patch] https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f

Scores

CVSS v3 3.7

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (1)

joinmastodon/mastodon < 4.2.28

Published Dec 10, 2025

Tracked Since Feb 18, 2026