Main Vulnerability Database Vulnerabilities #VU126975

#VU126975 Insufficient Session Expiration in Mastodon

Published: July 4, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU126975

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mastodon

Software vendor:
Mastodon

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insufficient session expiration in the streaming API when maintaining WebSocket streaming connections after an access token is revoked. A remote user can keep an existing streaming connection open and continue subscribing to streamable timelines to disclose sensitive information.

User interaction is required because the user must first authorize the application before revoking its access token.

Remediation

Install security update from vendor's website.

External links

https://github.com/mastodon/mastodon/security/advisories/GHSA-vp5r-5pgw-jwqx

#VU126975 Insufficient Session Expiration in Mastodon

Description

Remediation

External links

Please verify you're human