BIT-mastodon-2025-62174

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/mastodon/BIT-mastodon-2025-62174.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-mastodon-2025-62174

Aliases

CVE-2025-62174
GHSA-f3q3-rmf7-9655

Published

2025-10-15T08:44:02.890Z

Modified

2026-01-08T18:23:34.605114Z

Summary

Mastodon allows continued access after password reset via CLI

Details

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using bin/tootctl accounts modify --reset-password, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

Database specific

{
    "cpes": [
        "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}

References

Affected packages

Bitnami / mastodon

Package

Name: mastodon
Purl: pkg:bitnami/mastodon

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.27

Introduced

4.3.0

Fixed

4.3.14

Introduced

4.4.0

Fixed

4.4.6

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/mastodon/BIT-mastodon-2025-62174.json"