Main Vulnerability Database Vulnerabilities #VU126979

#VU126979 Improper Authorization in Mastodon - CVE-2025-27399

Published: February 27, 2025 / Updated: April 23, 2026

Vulnerability identifier: #VU126979

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-27399

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mastodon

Software vendor:
Mastodon

Description

The vulnerability allows a remote attacker to disclose domain block information and rationales intended only for users.

The vulnerability exists due to improper authorization in the domain blocks and rationale visibility checks when handling requests for domain block information with visibility set to "users". A remote attacker can use an unconfirmed and unapproved account to access the domain blocks and rationales to disclose domain block information and rationales intended only for users.

The issue occurs when the instance is configured to show domain blocks or their rationales to logged-in users.

Remediation

Install security update from vendor's website.

External links

https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825

#VU126979 Improper Authorization in Mastodon - CVE-2025-27399

Description

Remediation

External links

Please verify you're human