216.73.217.22

CVE-2025-62175

· Published 13/10/2025 21:15 · Modified 13/10/2025 21:15

Labels: CVE-2025-62175 2025-10-13CVE-2025-62175CWE-273[email protected]

Essential information

Published
13/10/2025 21:15
Modified
13/10/2025 21:15
Author
Creator
CVSS
4.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mastodon / mastodon cpe:2.3:a:mastodon:mastodon:<4.4.6:*:*:*:*:*:*:*
mastodon / mastodon cpe:2.3:a:mastodon:mastodon:<4.3.14:*:*:*:*:*:*:*
mastodon / mastodon cpe:2.3:a:mastodon:mastodon:<4.2.27:*:*:*:*:*:*:*

References