Vulnerability Description
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Joinmastodon | Mastodon | < 4.2.27 |
Related Weaknesses (CWE)
References
- https://github.com/mastodon/mastodon/commit/7e98fa9b476fdaed235519f1d527eb956004Patch
- https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgpVendor Advisory
FAQ
What is CVE-2025-62176?
CVE-2025-62176 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients us...
How severe is CVE-2025-62176?
CVE-2025-62176 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62176?
Check the references section above for vendor advisories and patch information. Affected products include: Joinmastodon Mastodon.