Main Vulnerability Database Vulnerabilities #VU126985

Improper Handling of Insufficient Privileges in Mastodon - CVE-2025-62175

Published: April 23, 2026

Vulnerability identifier: #VU126985

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-62175

CWE-ID: CWE-274

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mastodon

Affected software:
Mastodon

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient privileges in the streaming API when processing streaming API connections for disabled or suspended accounts. A remote user can reconnect to the streaming API after the account has been disabled or suspended to disclose sensitive information.

Disabled or suspended accounts may remain connected and continue receiving messages through the streaming API even though they cannot interact with other APIs.

How to mitigate CVE-2025-62175

Install security update from vendor's website.

Sources

https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh

Improper Handling of Insufficient Privileges in Mastodon - CVE-2025-62175

Detailed vulnerability description

How to mitigate CVE-2025-62175

Sources

Please verify you're human