Vulnerability from bitnami_vulndb
Published
2025-10-15 08:44
Modified
2026-01-08 18:07
Summary
Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels
Details

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "mastodon",
        "purl": "pkg:bitnami/mastodon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.27"
            },
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.14"
            },
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62176"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.",
  "id": "BIT-mastodon-2025-62176",
  "modified": "2026-01-08T18:07:34.629Z",
  "published": "2025-10-15T08:44:06.235Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mastodon/mastodon/commit/7e98fa9b476fdaed235519f1d527eb956004ba0c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62176"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.