CVE-2025-62605

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-62605

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62605.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-62605

Aliases

BIT-mastodon-2025-62605
GHSA-8h43-rcqj-wpc6

Published

2025-10-21T16:46:37Z

Modified

2025-11-02T19:54:52.240429Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Mastodon quotes control can be bypassed

Details

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2. Mastodon internally treats reblogs as statuses. Since they were not special-treated, an attacker could reblog any post, then quote their reblog, technically quoting themselves, but having the quote feature a preview of the post they did not get authorization for with all of the affordances that would be otherwise denied by the quote controls. This issue has been patched in versions 4.4.8 and 4.5.0-beta.2.

Database specific

{
    "cwe_ids": [
        "CWE-754"
    ]
}

References

Affected packages

Git / github.com/mastodon/mastodon

Affected ranges

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

12c0e58d9aa80db570fba5fa5146f3a640e99b42

Fixed

c2fb12d22d52872b5905822c3d05f65516fa7f1d

Database specific

{
    "versions": [
        {
            "introduced": "4.4.0-beta.1"
        },
        {
            "fixed": "4.4.8"
        }
    ]
}

Type

GIT

Repo

https://github.com/mastodon/mastodon

Events

Introduced

Last affected

5a8ab0a3e62a8825e28bb74c1760ba6488d20c97

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 4.5.0-beta.1"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.6

v0.7

v0.8

v0.9

v0.9.9

v1.*

v1.0

v1.1

v1.1.1

v1.1.2

v1.2

v1.2.1

v1.2.2

v1.3

v1.3.1

v1.3.2

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4rc1

v1.4rc2

v1.4rc3

v1.4rc4

v1.4rc5

v1.4rc6

v1.5.0

v1.5.0rc1

v1.5.0rc2

v1.5.0rc3

v1.5.1

v1.6.0

v1.6.0rc1

v1.6.0rc2

v1.6.0rc3

v1.6.0rc4

v1.6.0rc5

v1.6.1

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc2

v2.0.0rc3

v2.0.0rc4

v2.1.0

v2.1.0rc1

v2.1.0rc2

v2.1.0rc3

v2.1.0rc4

v2.1.0rc5

v2.1.0rc6

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.0rc1

v2.2.0rc2

v2.3.0

v2.3.0rc1

v2.3.0rc2

v2.3.0rc3

v2.3.1

v2.3.1rc1

v2.3.1rc2

v2.3.1rc3

v2.3.2

v2.3.2rc1

v2.3.2rc2

v2.3.2rc3

v2.3.2rc4

v2.3.2rc5

v2.4.0

v2.4.0rc1

v2.4.0rc2

v2.4.0rc3

v2.4.0rc4

v2.4.0rc5

v2.4.1

v2.4.1rc1

v2.4.1rc2

v2.4.1rc3

v2.4.1rc4

v2.4.2

v2.4.2rc1

v2.4.2rc2

v2.4.2rc3

v2.4.3

v2.4.3rc1

v2.4.3rc2

v2.4.3rc3

v2.5.0

v2.5.0rc1

v2.5.0rc2

v2.6.0

v2.6.0rc1

v2.6.0rc2

v2.6.0rc3

v2.6.0rc4

v2.6.1

v2.7.0

v2.7.0rc1

v2.7.0rc2

v2.7.0rc3

v2.7.1

v2.8.0

v2.8.0rc1

v2.8.0rc2

v2.8.0rc3

v2.8.1

v2.8.2

v2.9.0

v2.9.0rc1

v2.9.0rc2

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.0.0rc1

v3.0.0rc2

v3.0.0rc3

v3.0.1

v3.1.0

v3.1.0rc1

v3.1.0rc2

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.2.0

v3.2.0rc1

v3.2.0rc2

v3.3.0

v3.3.0rc1

v3.3.0rc2

v3.3.0rc3

v3.4.0

v3.4.0rc1

v3.4.0rc2

v3.4.1

v3.5.0

v3.5.0rc1

v3.5.0rc2

v3.5.0rc3

v3.5.1

v3.5.2

v3.5.3

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v4.0.0rc3

v4.0.0rc4

v4.0.1

v4.0.2

v4.1.0

v4.1.0rc1

v4.1.0rc2

v4.1.0rc3

v4.2.0

v4.2.0-beta1

v4.2.0-beta2

v4.2.0-beta3

v4.2.0-rc1

v4.2.0-rc2

v4.3.0-beta.1

v4.3.0-beta.2

v4.3.0-rc.1

v4.4.0

v4.4.0-beta.1

v4.4.0-beta.2

v4.4.0-rc.1

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.5.0-beta.1