Main Vulnerability Database Vulnerabilities #VU126984

Insufficient Session Expiration in Mastodon - CVE-2025-62174

Published: April 23, 2026

Vulnerability identifier: #VU126984

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-62174

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mastodon

Affected software:
Mastodon

Detailed vulnerability description

The vulnerability allows a remote user to continue using compromised sessions and access tokens to disclose sensitive information.

The vulnerability exists due to insufficient session expiration in session and access token handling when an administrator resets an account password via the CLI. A remote user can reuse previously issued sessions or access tokens to disclose sensitive information.

User interaction is required because an administrator must perform the password reset action.

How to mitigate CVE-2025-62174

Install security update from vendor's website.

Sources

https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655

Insufficient Session Expiration in Mastodon - CVE-2025-62174

Detailed vulnerability description

How to mitigate CVE-2025-62174

Sources

Please verify you're human