216.73.217.86

CVE-2025-62605

· Published 21/10/2025 17:15 · Modified 21/10/2025 19:31

Labels: CVE-2025-62605 2025-10-21CVE-2025-62605CWE-754[email protected]

Essential information

Published
21/10/2025 17:15
Modified
21/10/2025 19:31
Author
Creator
CVSS
4.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2. Mastodon internally treats reblogs as statuses. Since they were not special-treated, an attacker could reblog any post, then quote their reblog, technically quoting themselves, but having the quote feature a preview of the post they did not get authorization for with all of the affordances that would be otherwise denied by the quote controls. This issue has been patched in versions 4.4.8 and 4.5.0-beta.2.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mastodon / masotdon cpe:2.3:a:mastodon:masotdon:<4.4.8:*:*:*:*:*:*
mastodon / masotdon cpe:2.3:a:mastodon:masotdon:<4.5.0-beta.2:*:*:*:*:*:*

References