CVE-2025-62174

Sažetak

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

Reference

https://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e225217
https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655

CVSS

Base:	3.5
Impact:	1.4
Exploitability:	2.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

13-10-2025 - 21:15

Objavljeno

13-10-2025 - 21:15