Insufficient Session Expiration in Mastodon - #VU126975

 

Insufficient Session Expiration in Mastodon - #VU126975

Published: July 4, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU126975
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mastodon
Affected software:
Mastodon

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insufficient session expiration in the streaming API when maintaining WebSocket streaming connections after an access token is revoked. A remote user can keep an existing streaming connection open and continue subscribing to streamable timelines to disclose sensitive information.

User interaction is required because the user must first authorize the application before revoking its access token.


Remediation

Install security update from vendor's website.

Sources