CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27399: Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"

5.3 CVSS

Description

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.

Classification

CVE ID: CVE-2025-27399

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization

Affected Products

Vendor: mastodon

Product: mastodon

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 11.66% (scored less or equal to compared to others)

EPSS Date: 2025-03-28 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27399
https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825
https://github.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5
https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35
https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51

Timeline