Home > Vulnerability Database > CVE-2025-62176

Mend.io Vulnerability Database

CVE-2025-62176

Good to know:

Date: October 13, 2025

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

Severity Score

4.3

Related Resources (4)

Url: https://github.com/mastodon/mastodon/commit/7e98fa9b476fdaed235519f1d527eb956004ba0c

Url: https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62176

Url: https://www.mend.io/vulnerability-database/CVE-2025-62176

Severity Score

4.3

Weakness Type (CWE)

Improper Handling of Insufficient Permissions or Privileges

CWE-280

Top Fix

Upgrade Version

Upgrade to version https://github.com/mastodon/mastodon.git - v4.2.27;https://github.com/mastodon/mastodon.git - v4.3.14;https://github.com/mastodon/mastodon.git - v4.4.6

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62176

Good to know:

Date: October 13, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?