CVE-2025-67500

EUVD-2025-202338

10.12.2025, 00:16

Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
joinmastodon	mastodon	𝑥 < 4.2.28
joinmastodon	mastodon	4.3.0 ≤ 𝑥 < 4.3.15
joinmastodon	mastodon	4.4.0 ≤ 𝑥 < 4.4.10
joinmastodon	mastodon	4.5.0 ≤ 𝑥 < 4.5.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f

https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8