CVE-2025-62175— Mastodon streaming API fails to disconnect disabled and suspended users
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-62175
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mastodon streaming API fails to disconnect disabled and suspended users
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对于放弃特权的检查不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mastodon 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mastodon是Mastodon开源的一款基于ActivityPub的开源社交网络服务器。 Mastodon 4.4.6之前版本、4.3.14之前版本和4.2.27之前版本存在安全漏洞,该漏洞源于禁用或暂停用户账户时未断开流API连接,可能导致被禁用账户继续接收实时更新。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-62175
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-62175
请登录查看更多情报信息。
Same Patch Batch · mastodon · 2025-10-13 · 3 CVEs total
| CVE-2025-62176 | 4.3 MEDIUM | Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to pu |
| CVE-2025-62174 | 3.5 LOW | Mastodon allows continued access after password reset via CLI |
IV. Related Vulnerabilities
Same product: mastodon
- CVE-2026-41259
Mastodon: Insufficient verification of email addresses - CVE-2026-33869
Mastodon has a denial of service for quote authorization - CVE-2026-33868
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain> - CVE-2026-27477
Mastodon has SSRF via unvalidated FASP Provider base_url - CVE-2026-27468
Mastodon may allow unconfirmed FASP to make subscriptions
Same vendor: mastodon
- CVE-2026-41259
Mastodon: Insufficient verification of email addresses - CVE-2026-33869
Mastodon has a denial of service for quote authorization - CVE-2026-33868
Mastodon has a GET-Based Open Redirect via '/web/%2F<domain> - CVE-2026-27477
Mastodon has SSRF via unvalidated FASP Provider base_url - CVE-2026-27468
Mastodon may allow unconfirmed FASP to make subscriptions
Same weakness: CWE-273
- CVE-2026-32107
xrdp: Fail-open privilege drop in sesexec — child processes - CVE-2026-21882
theshit's Improper Privilege Dropping Allows Local Privilege - CVE-2025-27396
Siemens SCALANCE LPE9403 安全漏洞 - CVE-2025-1003
HP Anyware Agent for Linux – Potential Authentication Bypass - CVE-2023-0657
Keycloak: impersonation via logout token exchange
V. Comments for CVE-2025-62175
No comments yet