CVE-2025-67500

Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f	Patch
https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

19 Dec 2025, 19:29

Type	Values Removed	Values Added
First Time		Joinmastodon mastodon Joinmastodon
CPE		cpe:2.3:a:joinmastodon:mastodon::::::::
References	~~() https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f -~~	() https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f - Patch
References	~~() https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8 -~~	() https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8 - Vendor Advisory

10 Dec 2025, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-10 00:16

Updated : 2025-12-19 19:29

NVD link : CVE-2025-67500

Mitre link : CVE-2025-67500

CVE.ORG link : CVE-2025-67500

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-204

Observable Response Discrepancy

{"id": "CVE-2025-67500", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2025-12-10T00:16:11.270", "references": [{"url": "https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3."}], "lastModified": "2025-12-19T19:29:53.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9100527-3A10-4D09-A322-7487BB36102D", "versionEndExcluding": "4.2.28"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53839555-56EC-43AE-B344-643F0F8326E6", "versionEndExcluding": "4.3.15", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F59D92C-1E2E-454F-91F8-4764E88D61E4", "versionEndExcluding": "4.4.10", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20E7A258-0D9F-40E6-ABD5-DB3C60FE95D8", "versionEndExcluding": "4.5.3", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}