CVE-2025-67500
LOWDescription
Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| joinmastodon | mastodon |
| joinmastodon | mastodon |
| joinmastodon | mastodon |
| joinmastodon | mastodon |
References
Frequently Asked Questions
What is CVE-2025-67500? +
How severe is CVE-2025-67500? +
What products are affected by CVE-2025-67500? +
How do I check if I'm vulnerable to CVE-2025-67500? +
Related Vulnerabilities
User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker …
Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well …
Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based …
IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the …
vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username `root` …
Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of …