CVE-2025-67500
- Source
- https://cve.org/CVERecord?id=CVE-2025-67500
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67500.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67500
- Aliases
-
- BIT-mastodon-2025-67500
- GHSA-gwhw-gcjx-72v8
- Published
- 2025-12-09T23:44:04.501Z
- Modified
- 2026-03-13T03:42:34.897565Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration
- Details
-
Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67500.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-204" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67500.json
- https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f
- https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8
- https://nvd.nist.gov/vuln/detail/CVE-2025-67500
Affected packages
Git / github.com/mastodon/mastodon
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mastodon/mastodon
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "4.2.28" } ] }
- Type
- GIT
- Repo
- https://github.com/mastodon/mastodon
- Events
- Database specific
{ "versions": [ { "introduced": "4.3.0-beta.1" }, { "fixed": "4.3.15" } ] }
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.6
v0.7
v0.8
v0.9
v0.9.9
v1.*
v1.0
v1.1
v1.1.1
v1.1.2
v1.2
v1.2.1
v1.2.2
v1.3
v1.3.1
v1.3.2
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4rc1
v1.4rc2
v1.4rc3
v1.4rc4
v1.4rc5
v1.4rc6
v1.5.0
v1.5.0rc1
v1.5.0rc2
v1.5.0rc3
v1.5.1
v1.6.0
v1.6.0rc1
v1.6.0rc2
v1.6.0rc3
v1.6.0rc4
v1.6.0rc5
v1.6.1
v2.*
v2.0.0
v2.0.0rc1
v2.0.0rc2
v2.0.0rc3
v2.0.0rc4
v2.1.0
v2.1.0rc1
v2.1.0rc2
v2.1.0rc3
v2.1.0rc4
v2.1.0rc5
v2.1.0rc6
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.2.0rc1
v2.2.0rc2
v2.3.0
v2.3.0rc1
v2.3.0rc2
v2.3.0rc3
v2.3.1
v2.3.1rc1
v2.3.1rc2
v2.3.1rc3
v2.3.2
v2.3.2rc1
v2.3.2rc2
v2.3.2rc3
v2.3.2rc4
v2.3.2rc5
v2.4.0
v2.4.0rc1
v2.4.0rc2
v2.4.0rc3
v2.4.0rc4
v2.4.0rc5
v2.4.1
v2.4.1rc1
v2.4.1rc2
v2.4.1rc3
v2.4.1rc4
v2.4.2
v2.4.2rc1
v2.4.2rc2
v2.4.2rc3
v2.4.3
v2.4.3rc1
v2.4.3rc2
v2.4.3rc3
v2.5.0
v2.5.0rc1
v2.5.0rc2
v2.6.0
v2.6.0rc1
v2.6.0rc2
v2.6.0rc3
v2.6.0rc4
v2.6.1
v2.7.0
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.1
v2.8.0
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.9.0
v2.9.0rc1
v2.9.0rc2
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.1
v3.1.0
v3.1.0rc1
v3.1.0rc2
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.0rc1
v3.2.0rc2
v3.3.0
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.1
v3.5.0
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.1
v3.5.2
v3.5.3
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v4.0.0rc3
v4.0.0rc4
v4.0.1
v4.0.2
v4.1.0
v4.1.0rc1
v4.1.0rc2
v4.1.0rc3
v4.2.0
v4.2.0-beta1
v4.2.0-beta2
v4.2.0-beta3
v4.2.0-rc1
v4.2.0-rc2
v4.2.1
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.2.15
v4.2.16
v4.2.17
v4.2.18
v4.2.19
v4.2.2
v4.2.20
v4.2.21
v4.2.22
v4.2.23
v4.2.24
v4.2.25
v4.2.26
v4.2.27
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.0-beta.1
v4.3.0-beta.2
v4.3.0-rc.1
v4.3.1
v4.3.10
v4.3.11
v4.3.12
v4.3.13
v4.3.14
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.0-beta.1
v4.4.0-beta.2
v4.4.0-rc.1
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.0-beta.1
v4.5.0-beta.2
v4.5.0-rc.1
v4.5.0-rc.2
v4.5.0-rc.3
v4.5.1
v4.5.2
Git / github.com/tootsuite/mastodon
Affected ranges
- Type
- GIT
- Repo
- https://github.com/tootsuite/mastodon
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "4.2.28" }, { "introduced": "4.3.0" }, { "fixed": "4.3.15" }, { "introduced": "4.4.0" }, { "fixed": "4.4.10" }, { "introduced": "4.5.0" }, { "fixed": "4.5.3" } ] }