CVE-2026-25540

{"id": "CVE-2026-25540", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-02-04T22:16:00.233", "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-524"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito, de c\u00f3digo abierto, basado en ActivityPub. Antes de las versiones 4.3.19, 4.4.13, 4.5.6, Mastodon es vulnerable al envenenamiento de cach\u00e9 web a trav\u00e9s de 'Rails.cache'. Cuando AUTHORIZED_FETCH est\u00e1 habilitado, los puntos finales de ActivityPub para publicaciones fijadas y hashtags destacados tienen contenidos que dependen de la cuenta que firm\u00f3 la solicitud HTTP. Sin embargo, estos contenidos se almacenan en una cach\u00e9 interna y se reutilizan sin tener en cuenta al actor firmante. Como resultado, una respuesta vac\u00eda generada para una cuenta de usuario bloqueada puede ser servida a solicitudes de actores leg\u00edtimos no bloqueados, o, a la inversa, contenido destinado a actores no bloqueados puede ser devuelto a actores bloqueados. Este problema ha sido parcheado en las versiones 4.3.19, 4.4.13, 4.5.6."}], "lastModified": "2026-02-20T21:02:56.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C5EDBA6-4837-43AB-AEF3-C61A974B5017", "versionEndExcluding": "4.3.19"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A55C7B9-3FC4-4DB8-8C33-8C3435A54F63", "versionEndExcluding": "4.4.13", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3A0CD1A-0EC2-43E3-8273-D3D06A65A2D9", "versionEndExcluding": "4.5.6", "versionStartIncluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}